application of formal safety assessment for dry...
TRANSCRIPT
APPLICATION OF FORMAL SAFETY ASSESSMENT FOR
DRY DOCKING EVOLUTION
A thesis submitted in partial fulfilment of the requirements of Liverpool John Moores
University for the degree of Doctor of Philosophy
ATEHNJIA DENIS NJUMO
December 2015
i
Acknowledgements
This PhD is the result of three years of research conducted since I joined Liverpool LOgistics,
Offshore and Marine (LOOM) Research Institute at Liverpool John Moores University
(LJMU) in the United Kingdom. During this period I have had the support of a great number
of people and organisations. It gives me great pleasure to convey my thanks and sincere
gratitude to them in my acknowledgements.
First and foremost I would like to thank my supervisor, Professor Zaili Yang, not only for his
guidance, advice and supervision, but also for his patience, encouragement and care offered to
me whilst completing this thesis. More significantly, his strong commitment and integral views
on research and his expectation of ‘high-quality work and nothing less’ have greatly
encouraged me. I am indebted to him more than words can express.
I wish to extend my sincere thanks to my co-supervisors, Dr. Ramin Rahin and Dr. Karl Jones,
as well as to my advisor Professor Jin Wang, who have always provided me with valuable
advice by examining the progress of my research.
I convey my special acknowledgement to the Commonwealth Scholarship Commission UK
through the Ministry of Higher Education and the Direction of Maritime Affairs (Ministry of
Transport) Cameroon for sponsoring this PhD research for three and a half years, taking care
of all my personal and travelling needs in and out of UK. Without this support, this PhD would
not have been completed. For this I am highly appreciative.
I would also like to extend my special thanks to DMC Consulting, International Maritime
Organization (IMO), Ship Docking Conference (USA), and all other organisations for their
advice and support for this thesis including the supply of useful technical data. The support of
Royal Institute of Naval Architects (RINA) UK in publishing one of my first paper has given
me a great deal of encouragement in pursuing this PhD research.
I convey my special acknowledgements to my wife and daughter for their moral support. My
parents, sisters and brothers deserve special appreciation for their invaluable guidance and
support. I am extraordinarily fortunate to have such a nice family. These acknowledgements
would not be complete without thanking many others, including close and good friends, who
have directly and indirectly assisted me in many ways to conclude my PhD thesis “Application
of Formal Safety Assessment (FSA) for Dry Docking Evolution” successfully.
ii
Abstract
This research has evaluated the rules, guidelines and regulations related to docking a ship in
floating-graving yards. Historical failure data analysis is carried out to identify associated
components, equipment and the area of defects related to ship docking evolution problems. The
current status of ship docking evolution is reviewed and possible sources which cause accidents
are recognised. The major problems identified in this research are associated with risk
modelling under circumstances where high levels of uncertainty exist. Following the
identification of research needs, this work has developed several analytical models for the
application of Formal Safety Assessment (FSA). Such models are subsequently demonstrated
by their corresponding case studies with regards to application of FSA for ship docking
evolution.
Firstly, in this research a generic floating-graving docking model is constructed for the purpose
of hazard identification and risk estimation. The hazards include various scenarios, identified
from literature reviewed as the major contributors to ship docking failures. Then risk estimation
is carried out utilising fault tree (FT) – FSA where there is sufficient data.
Secondly, with increased lack of data, risk estimation is carried out using FT-Bayesian network
(BN) where interdepencies exists amongst identified hazards. This risk estimation method is
validated with the appropriate case study identified.
Thirdly, fuzzy rule base and evidential reasoning approaches are used for risk estimation in
terms of three risk parameters to select the major causes of component failure that can lead to
pontoon deck failure in a floating dock. Possible risk control options (RCOs) are introduced,
based on their effectiveness, to select the best RCO for minimising the risks.
Finally, a cost benefit assessment is conducted to select the best risk control option using BN,
where selections are based on economic terms. The four subjective novel FSA application
methodologies in ship docking evolution are constructed from existing theoretical techniques
and applied to real situations where data collection is otherwise not possible. The construction
of the novel methodologies and the case study applications are the major contribution to
knowledge in this thesis. It is concluded that the methodologies proposed possess significant
potential for the application of FSA for ship docking evolution based on the validations of their
corresponding case studies, which may also be applied with domain specification knowledge
tailored to facilitate FSA application in other shipping industry sectors.
iii
Table of Contents
Acknowledgements..………………………………………………………………………..........................i
Abstract……………………………………………………….…………………………………………….ii
Table of Contents………………...……….……………………………………..…..……………………..iii
List of Tables………….……………………………………………………….........................................xiv
List of Figures………………………..…………….………………………………………….................xvii
Abbrevations………………………..…………….…………………………………………………….…xx
Chapter 1 Introduction...……………………………………………………………………………….…1
Summary……………………………………………………………….………………………………..….1
1.1 Background Analysis……………………………………………………….…………………………..1
1.2 Research Aims and Objectives………………………….……………………………………..…..……2
1.3 Challenges of Conducting this Research…..………………………………………………………........3
1.4 Research Methodology and Scope of Thesis………………………..…………….……………………4
1.4.1 Introduction and literature review………………………..……………………….…………….…….5
1.4.2 Fault tree –formal safety assessment in dry docking evolution…………………………………........5
1.4.3 An advance fault tree - Bayesian networking approach for risk analysis……….…………………....7
1.4.4 Fuzzy rule base with belief degree for risk analysis in dry docking operation….………...………….8
1.4.5 Risk control options and cost benefit analysis in dry docking operatioin…….….……......……..….10
1.5 Structure of PhD Thesis………………………………………………………..….………...……..….10
Chapter 2 Literature Review….………………………………………………………………………….......11
Summary……………………………………………………………….………………………………….11
2.1 Introduction……………………………………………………………………………………………11
2.2 Review of Failures in Floating-Graving Docking Systems………………………….…………..……13
2.3 Floating-Graving Docking Systems…..…………………………………...………………………......15
2.3.1 Shipbuilding and ship repair yards...……………………..……………………….…………………15
iv
2.3.2 Background on graving dock………………………………………..……………………………....16
2.3.3 Background on floating dry dock……………………………………………………………………17
2.3.4 Layout of ship repair yards……………………………………………...……………………….….17
2.3.5 Trends in the ship repairing industry……………………………………………………...………...18
2.3.6 Factors making ship repairing more efficient……………………………………………………….19
2.3.7 Factors affecting the selection of a dry dock system…………………………………………….….19
2.3.8 The economics of docking a vessel………………………………………………………………….21
2.3.9 The ship dry docking specification..………………..……………………………………………….21
2.3.9.1 Shipyard docking plan……….….…………………………………………………………………21
2.3.9.2 Accuracy factors……….……..…………………………………………………………………....22
2.3.9.3 Top level dry dock specification………...………………..…………………………..……...……23
2.4 Critical Review on Risk Asssessment Methods………………….....………………………………....24
2.4.1 Failiure mode identification…..…...…………...……….………………...….…………...………....24
2.4.2 Failure modes and effects analysis…..………………...……………...….…………….…………....25
2.4.3 Fault tree analysis and petri nets…..………………...…….………………...….…………...……....25
2.4.4 Bayesian network…..…………………………….………..…………...….…………………….......26
2.4.5 Floating-graving dock response…..…….………..………..…………………...….………………...27
2.4.6 Consequence analysis of docking accidents…….…………………...............................…...……....27
2.4.7 Assigning probabilities…..…………….………………………………...….…………..……...…....27
2.4.8 Limitation on regulation………..…..…….………..………..…………………...….………….…....28
2.4.9 Risk assessment methods used in dry docking operations…….……….......................………..........28
2.4.10 Review on the importance of applying novel risk assesment methods………………….………....31
2.5 Data Collection and Accident Reports…………...…..………..…………………...….……………....32
2.5.1 Typical shipyard accidents…………………..…….…………………...............................………....32
2.5.1.1 Jurong shipyard accident…..…………….…………………………...….…………..……….........32
2.5.1.2 Subic bay accident…...…..…………….………………………………...….…………..………....33
2.5.1.3 Tulza shipyard strikes.…..…………….………………………………...….…………..………....33
v
2.5.1.4 Union naval de Lavante accident…..……….…………………………...….…………..………....33
2.6 FSA Applied to the Shipping Industry………………………..………………………….……………34
2.6.1 Characteristics of FSA in the dry docking industry…………………………………………………35
2.6.2 FSA in other organisations...…..…………………………...………...…………………...………....36
2.6.3 Implication of the application of FT-FSA……………………………………….…………..………37
2.6.4 Factors affecting the implementation of FT-FSA……………………………………………...……37
2.6.5 Risk evaluation………………………………………………………………………………………38
2.6.6 Uncertainties in applications of FSA…..…………………….………………………..……….……38
2.6.7 Expert judgement protocol in FSA………………………………..……………………...………....38
2.6.8 Risk control and cost benefit analysis in FSA………………………...…………………….....……40
2.6.9 Recommendation for decision making in FSA………………………………………..…………….40
2.7 Introduction to Risk Assessment Methods Applied in this PhD…………………………...….........…40
2.7.1 Fault tree- Formal safety assessment………………………………………………………………..40
2.7.2 Fault tree- Bayesian network………………………………………………………………………..42
2.7.2.1 Rotor failure system analysis…..………………...………………………………………………..42
2.7.2.2 Vessel oil system safety analysis…..……………...………………………………………………43
2.7.2.3 Modelling using FTA…..…………………………………...……………………………………..43
2.7.2.4 Bayesian network…..……………………………….……………………………………………..45
2.7.3 Fuzzy set theory and evidential reasoning…..……………………………………………..………..48
2.7.4 Evidential reasoning…..………………………………………………………………….…...……..52
2.7.5 Fuzzy rule base…..………………………………………………………………………………......54
2.7.5.1 Belief rule base inference…..……………………...…………………………..…………………..54
2.7.5.2 Rule based FIS using belief structure…..…………...……...…………….………………………..55
2.7.5.3 Rule weight…..……………………………….………….………………………………………..56
2.7.5.4 Attribute weight…..……………………………….…..…………………………………………..56
2.7.5.5 Fuzzy logic systems and their properties…..………..…...………………………………………..57
2.7.5.6 Establish experts real-valued hazard data…..…………..………………………………………....58
vi
2.7.5.7 Fuzzy input set to extract rules…..………………...……………….……………………………...58
2.7.5.8 Extraction of rules from input fuzzy sets and fuzzy rule base……..…….………………………..58
2.7.5.9 Evaluation of rules for output fuzzy set…………..…..…………………………….……………..59
2.7.5.10 Aggregation and de-fuzzification…...……..…..…………..……………….……..……………..59
2.8 Problems in Applications of FSA in Dry Docking Industry…………………………..………………60
2.9 Justification of Research.…………...……………………………………………………………........60
2.10 Discussions and Conclusion…………………………………………………………..……………...62
Chapter 3 Fault Tree – Formal Safety Assessment in Docking Operation….……………………….65
Summary……………………………………………………………….………………………………….65
3.1 Introduction……………………………………………………………………………………………65
3.2 Statement of Problem………………………….…………..………………………………………..…66
3.3 Funtional Component of FSA in Dry Docking…..……………………………………..…………......68
3.3.1 System definition….……………………..………………...…….…………………………….……68
3.3.1.1 Docking and undocking activities…...…….……………………………………………………....72
3.3.1.2 Docking evolution…………….……………………………...…………….………………….......72
3.3.1.3 Communication…………………………………………………………………………………....72
3.3.1.4 Facilities……………………………………………………………...….…………………….......73
3.3.1.5 Docking vessel……………….………………………………………………...….……………....73
3.3.1.6 Undocking evolution………….……..…………………………………………...….…….……....74
3.3.1.7 Human error……………………………………………………….…………...……………….....75
3.3.1.8 Maintenance and inspection…………………………………………………...….…………….....75
3.3.1.9 Environment…………………………………..………………………...….………….………......75
3.3.2 Hazard identification……………………………………………….………………………..………76
3.3.2.1 Gate collapse…..……………………………………………………………...………….….….....76
3.3.2.2 Failure of pontoon deck – structural failure…..……………….……………...….………..……....76
3.3.2.3 Stability failure…..………………………………………………………….....….……….……....77
vii
3.3.2.4 Docking block failure…..…………………………………………...………...….………..……....77
3.3.2.5 Grounding…..………………………………………...…………………….…………………......77
3.3.2.6 Dry dock wall failure…..……………………………………………………………...……..........78
3.3.2.7 Contact events…..……………………………………………………………...…………….…....78
3.3.2.8 Fire events…..…………………………………………………..……………...…………….…....78
3.3.3 Steps of FSA in dry docking operation……....………...…………………………………………....78
3.3.3.1 Problem definition and generic model…..………………………………….....…………….….....79
3.3.3.2 Step 1 Hazard identification………………..…..……………………………....….……………....79
3.3.3.3 Step 2 Risk analysis…..……………………………………………………......….……………....82
3.3.3.4 Step 3 Risk control option…..………………………………….…...……….....….……………....82
3.3.3.5 Step 4 Cost benefit assessment………..………………………………………....……………......83
3.3.3.6 Step 5 Recommendation for decision making…..……………………………….…......……........84
3.4 Accident Data Collection and Analysis …..………………………...……………...………………....85
3.4.1 Data from Health and Safety Executive UK…………………...……………………..…………..…86
3.4.2 Data from bureau of labour statistics USA…..……………………………………..…………….....87
3.4.3 Census of fatal occupational injuries in SSR USA…………………...…………………………..…88
3.4.4 Data collected from occupational safety and health division, Singapore…..…………………….....88
3.4.5 Work place fatality by type of accident…………………...…………………………………..…….89
3.4.6 Temporary disablement in shipbuilding and repair…..……………………………………..………89
3.4.7 Accident analysis in dry docking operation…………………...……………………………...…..…90
3.4.7.1 Risk of fall from height..…………………..…..……………………………...….……………......90
3.4.7.2 Risk of electric shock………………..…..………………………….…...….…………………......91
3.4.7.3 Risks of fire and/or explosion…..……………………….…………………………….....………..91
3.4.7.4 Risks of being struck by or stricking against objects…....…………………………………….......92
3.4.7.5 Risks of being caught in between objects…………...…………………………...……………......92
3.4.8 Steps in the application of FT-FSA in dry docking operation …..………………...…………..........93
3.4.8.1 Problem definition……….………………..…..……………………………...….……………......93
viii
3.4.8.2 Chooose goals and set constrainsts……………………..……………………………...…...…......93
3.4.8.3 Select risk analysis method..…..……………………...……………………………….....………..93
3.4.8.4 Draw fault tree for hazard identified………………..…...……………………………….…..........93
3.4.8.5 Risk matrix of identified hazards………..……………….…………………...……….………......93
3.4.8.6 Calculate equivalent total.………………..…..…………..…………………...….……………......94
3.4.8.7 Hazard ranking………………..…..……………………….……...….………..………………......94
3.4.8.8 FTA quantification process…..…………………………….………………………….....………..94
3.4.8.9 Failure rate of top event…..…………………………………...…………...…………….…..........94
3.4.8.10 Identifiy risk control option………..…………………………...………..……...……...……......94
3.4.8.11 Group risk options to risk measures…………………..………………………………...….….....95
3.4.8.12 Risk control measures analysis………………..…..……………..…..…………...….………......95
3.4.8.13 Cost per unit risk reduction analysis…..……………………………….…………………….…..95
3.4.8.14 Compare effective curr and rcm……………..…..………..…………………………….…..........95
3.4.8.15 Decision making………..…………………………………..................................………...…......95
3.5 Application of FT-FSA in Dry Docking Operation: Fall from Hieght …..…………………...……....96
3.5.1 Definition of work….………………...…………………………………..………………………….96
3.5.2 Risk ranking…..……………………………………..……………....................................................96
3.5.3 Risk matrix & generic locations…………………...…………………………..……………………97
3.5.4 Calculating equivalent total – fall from height……………………………..…………………….....98
3.5.5 Risk estimation, fall from height due to scafoolding failure…….……………...………………...…98
3.5.6 Risk control option – fall from scaffolding…..……………………………………..……………...100
3.5.7 Cost benefit assessment…………………...………………………………………………………..106
3.5.8 Recommendation for decision making……………………………………..……………………....107
Chapter 4 Use of Fault Tree – Bayesian Network for Dry Dock Risk Analysis…...……………......108
Summary……………………………………………………………….………………………………...108
4.1 Introduction………………………………………………………………………………………..…108
ix
4.2 Problem Definition………………………….…………..……….………………………………..….111
4.3 Dock Entrance and Dock Gate………………………………………………………………...…..…113
4.3.1 Steel sliding gate, Birkenhead, UK…………….…………..……………….…………………..….114
4.3.2 Dry dock No.10., Marseilles, France…………….…………..……………….………………..…..116
4.4 The Application of a Fault Tree – Bayesian Network………………………………………...…..…117
4.4.1 Safety criticality software analysis………………………….…………………………………..….117
4.4.1 Feeding control system analysis………………………….……………………………………..….118
4.4.2 FPSO collision analysis………..………………………….…………………………………..…....118
4.5 Fault Tree - Bayesian Network Mapping Algorithm…………………………………………..…….119
4.6 Illustrative Example………………………………………………………………………………….122
4.6.1 Dry dock gate failure analysis………………………….…………………………………..………122
4.6.2 Probability of failure under no evidence………………………….…………………………….….124
4.6.3 Probability of failure under given evidence………………………….………………………....….124
4.6.4 Probability calcuation under causal reasoning………………………….………………..……..….125
4.6.5 Recommendations………………………………………………………………………………….125
4.6.6 Fault tree – Bayesian Network framework……………….………………………………………..126
4.6.6.1 Structural transformation from FT to BN……………….…...……………………..……………126
4.6.6.2 CPT determination………….…………………………..……………………………………......126
4.7 Problems of Constructing a Large Bayesian Network in Risk Analysis…………………………….127
4.7.1 Idioms…………………………………………….…….…………………………………..………129
4.7.2 Challenges of constructing a conditional probability table ………………………….…….………129
4.7.3 Ranked nodes approach…………………..………………………….……………………….....….130
4.7.4 Using doubly truncated normal distribution for modelling ranked nodes…………………………132
4.7.5 Modelling ranked nodes using min and max……………………………...……………………….133
4.7.6 Creating ranked nodes using AgenaRisk software ………………………….…….……………….135
4.8 Risk Analysis of a Large Dry Dock Gate Failure Model…………….………………………………136
4.8.1 Application of sliding dry dock gate at Birkenhead, UK…………………………………….....….137
x
4.8.2 Familiarisation – sliding dry dock gate failure at Birkenhead, UK…………..……………………137
4.8.3 Converting fault tree to Bayesian network……..……………………………...…………………...140
4.8.4 Qualitative analysis……………………………………… ………………………….…….………141
4.8.5 Modelling using agenaRisk…………………..………………………….…………………......….143
4.8.6 Quantitative analysis…………………………………………………….…………………………144
4.8.7 Sensitivity…………………….…………………………….……………...……………………….149
4.9 Discussions and Conclusion………………………………………………………………………….150
Chapter 5 A Fuzzy Rule-Based Approach For Risk Analysis In Dry Docking Operation.……......152
Summary……………………………………………………………….………………………………...152
5.1 Introduction………………………………………………………………………………………..…152
5.2 Problem Definition………………………….…………..………………………………………..….155
5.3 Application of FRBS in Risk Assessment…………………………..………………………...…..…157
5.4 Rule Based System with Fuzzy Evidential Aggregation………………………………..………..….159
5.4.1 The fuzzy belief structure…………………………………………………………….…….………160
5.4.2 Belief rule-based inference methodology using the evidential reasoning approach …..…......……160
5.4.3 Fuzzy rule base with belief degree….…………………………………...…………………………161
5.5 Proposed Fuzzy Evidential Reasoning Rule Base with Belief Degree…………………………....…161
5.5.1 Hazard identification and faullt tree………………………………………………….…….………164
5.5.2 Belief rule base inference…………………………………………………………..…..…......……164
5.5.3 The development of a fuzzy rule base…………………………………...…………………………165
5.5.4 Input transformation………………………………………………….……………………..……...169
5.5.5 Rule inference using the evidential reasoning approach…………………………...…..…......……170
5.5.6 De-fuzzification of output…………...……………………...…………...…………………………170
5.5.7 Intelligent decision system software…………………………………...…………….…….………171
5.5.8 Convert crisp possibilit score into probability value…………………………….…..…......………171
5.5.9 Fussell-Vesely importance of base events…………………………………………………………171
xi
5.5.10 Cut sets importance…….………………………………………………………….…….………..172
5.5.11 Fault tree ++ software……………………………………………………………..…..…........….172
5.6 Structural Failure of Pontoon Due to Excessive Transverse Bending……….………….………..….173
5.6.1 18,000 ton floating dock…………….……………………………………………….…….………173
5.6.1.1 Pontoon’s Deck Strength………….………………………………………….………....…..……173
5.6.1.2 Method of de-Ballasting………………….…………………………...……….…………………174
5.6.2 14,220 ton floating dock………………………………………………………...……………....…176
5.6.2.1 Assumption on calculation……...………………………………………………….…….………176
5.6.2.2 Fantail blocks error….……….…………………………………………………..…..…......……177
5.6.2.3 Pumping plan assumption….……..…………………………………...…………………………177
5.6.3 Consequence analysis………………………………………………….………………..…….........177
5.7 Case Study: Pontoon Deck Failure Analysis………………………...………………….………..….178
5.7.1 Case study description……………………………………………………………...…..…......……179
5.7.2 Expert linguistic input data…………...…………………………………...………….……………182
5.7.3 Belief rule inference using evidential reasoning……………………….…………….…….………183
5.7.4 Combining activation rules…………..………………………………………….…..…......………186
5.7.5 Fault tree quantitative analysis……………………………………………………………………..186
5.7.6 Results……………………………………………………………………………………………...188
5.7.7 Sensitivity analysis……………….………………………………………………………………...189
5.7.8 Discussion………..……...……………………………………………………………..…..…........189
5.7.9 Conclusion…………...……………………………………………………………..…..…........…..190
Chapter 6 Risk Control Options and Cost Benefit Analysis for Docking Operation....…………...191
Summary……………………………………………………………….………………………………...191
6.1 Introduction………………………………………………………………………………………..…191
6.2 Problem Definition………………………….…………..…………….…………………………..….194
6.2.1 Background problem…………………………………………………………….…….…………...194
xii
6.2.2 Cost-effectiveness analysis problem……………………………………………… …..…......……195
6.2.3 A priori assessment problem………..…………………………………...…………………………196
6.3 Safety Measures Review in Docking and Undocking Operations…...…………………………....…197
6.3.1 Safety measures key information………………………………………………….…….…………197
6.3.2 Risk safety measures for gate and pontoon deck failure……………………...……………………197
6.3.3 Risk control and risk re-assessment result………………….…………...…………………………200
6.4 Cost-Effectiveness Analysis Factors………………………………………………….……………...201
6.4.1 Expected cost……………………………………………………………...…..…......………….…202
6.4.2 Evaluation of expected benefits…………...………………………….....…………………………202
6.4.3 Evaluation of expected risk-reducing effect……………………………...…...……..…….………203
6.4.4 Reference value for each safety measure………….…………………………….…..…......………203
6.4.5 Uncertainty effects for each safety measure……………………………………………………….203
6.4.6 Ranking of safety measures for decision making…….……………………………………………204
6.4.7 Advantage of Bayesian network-based cost-effecttiveness…………………..……..……….....….204
6.5 Cost-Effective Bayesian Network Framework………………..………………….………..………...205
6.5.1 Creating a graphical structure for cost-effectiveness factor relationships………….…….………..205
6.5.2 Calculating the conditional probability distributions………………………………....…..………..207
6.5.3 Inference…………………………………….…………………………...…………………………209
6.5.4 Net expected benefit crisp probability value…………………...…………………....……………..210
6.6 Results……………………………....………………………………………………….…….………211
6.6.1 Running model….…………………………………………………………..…..…......…………...212
6.6.2 Categorisation of cost-effectiveness of each safety measure………………..…………………..…213
6.6.3 Parameter sensitivity analysis………………………………………………….…………..............213
6.6.4 Result analysis………………………...………………….………..……………………………….213
6.7 Conclusion………………………………………………………….………………...…..…......……215
xiii
Chapter 7 Intergration of PhD Chapters…………………………………………….…...…………...217
Summary……………………………………………………………….………………………………...217
7.1 Dry Docking Formal Safety Assessment…………………….…………………………………..…..217
7.2 Risk Assessment and Cost Benefit Analysis...…………..………………………………………..….218
7.2.1 FT-FSA in dry docking operation……………………………………………….…….…………...219
7.2.2 Fault tree- Bayesian network approach for dry docking operation....…………..….…..…......……220
7.2.3 Fuzzy rule base with belief degree for risk analysis in dry docking operation………..….……..…221
7.2.4 Risk control options and cost benefit analysis in dry docking evolution…...……….…………..…222
7.3 Reccomendation for Decision Making……………………….…………………………………..…..223
Chapter 8 Conclusion and Implications…………………………………………….…...………….....225
Summary……………………………………………………………….………………………………...225
8.1 Research Background………………….…………………….…………………………………..…...225
8.2 Research Contribution………………..….…………..………………………………………..……...226
8.2.1 FT-FSA in dry docking risk analysis……………………………………………………........……227
8.2.2 FT-BN approaoch for risk analysis in ship-docking system………...…………….…..…......……227
8.2.3 FERB approach for risk analysis in dry docking operation………………………..…..…......……227
8.2.4 Truncated normal distribution BN for cost benefit analysis….………….…..…......……………...227
8.3 Practical Applications of PhD Research………………..….…………..……………………..……...228
8.4 Integration of Results…..……………..….…………..…..………………………….………..……...229
8.5 Limitation of Research………………..………………..….…………..……………………..……....230
86 Implications for Further Research………………….…………………………….…….………..…....231
References…………………………………………….…...………….....................................................234
Appendix……………………………………………...…...………….....................................................252
xiv
List of Tables
Table 1.1 Structure of PhD Thesis………………………………………………………………………...10
Table 2.1 Summary of factors to be considered in the selection of a dry dock system…………….........20
Table 2.2 Failure likelihood……………...................................................................................................49
Table 2.3 Consequence severity…………….............................................................................................49
Table 2.4 Failure consequence probability…………………………………....…………………............50
Table 2.5 Safety membership………………………………………………………...…………….........50
Table 3.1 Shipyard frequency and severity rate…………………………………………………………...81
Table 3.2 Shipyard severity value……...………………………………………………………………….81
Table 3.3 Shipyard risk matrix…………………………………………………………………………….82
Table 3.4 Injury rate in UK SSR…………………………………………………………………………..86
Table 3.5 UK SSR incident statistics for period 1999-2002………………………………………………86
Table 3.6 US Census for fatal occupational injuries from 1992-2000………………………………….....87
Table 3.7 Census of fatal occupational injuries 2003-2006……………………………………………….88
Table 3.8 Accident severity rate 2006 and 2007………………………………………………………......88
Table 3.9 Accident by type of agent………………………………………………………………………89
Table 3.10 Accident types leading to temporary disablements in SSR…………………………………...89
Table 3.11 Accident categories and description…………………………………………………………..96
Table 3.12 Interpretation of the frequencies F1-F4…………………………………………………….…97
Table 3.13 Shows the severity level in a typical shipyard industry…………….…………………………97
Table 3.14 Fall from height using risk matrix ranking…………………………….……………………...97
Table 3.15 Number of occurrences of each ranking score for fall from height……….…………..………98
Table 3.16 Present HAZID Worksheet for hazard due to scaffold failure………….……………………..98
Table 3.17 Basic event with failure rates assign………………………………………………………….99
Table 3.18 Risk control option log……….………………………………………………………………100
Table 3.19 Failure rates values for basic events….……………………………………………………...101
xv
Table 3.20 15% RCO1 improvement….…………………………………………………………………102
Table 3.21 85%RCO2 improvement…….……………………………………………………………….103
Table 3.22 40%RCO3 improvement…….……………………………………………………………….104
Table 3.23 35% RCO4 improvement….…………………………………………………………………105
Table 3.24 Results obtained from step 3………………………………………………….……………..106
Table 3.25 Summary of cost-benefit assessment….……………………………………………………..107
Table 4.1 The variable distribution and nodes of the DDGF network…………………………………...123
Table 4.2 Conditional probability table for Q1, E1 and E2……………………………………………...123
Table 4.3 BN comprehensive framework.……………………………………………………………….136
Table 4.4 The linguistic expression for five experts for each parent V1- V24…………………………..147
Table 4.5 Resulting prior probabilities and suggested weights of V1-V24……………………………...147
Table 4.6 Effects of parents V1-V24 on children U1-U8………………………………………………..148
Table 4.7 U2 vs SF incremental influence……………………………………………………………….150
Table 4.8 U7 vs SF incremental influence………………………………………………………………150
Table 5.1 Rule base development………………………….………………………………….................166
Table 5.2 Membership function for crisp probability value…………...………………………………...170
Table 5.3 The immediate event…………………………………………………………………………..181
Table 5.4 Event symbols…………………………………………………………………………………181
Table 5.5 Expert input for B19………………………….………………………………….....................184
Table 5.6 Rule weight for B19…………………………………….…..………………………………....184
Table 5.7 Expert input for B12…………………………………………………………………………..185
Table 5.8 Rule wieght for B12……………………………………..………………………………….…185
Table 5.9 Expert input for B1………………………….…………..…………………………………….186
Table 5.10 Rule wieght for B1………………………………………..………………………………….186
Table 5.11 Probability value of base event…………………………………..………….……………….187
Table 6.1 Risk safety measures for study A……………………..………………………………………199
Table 6.2 Risk safety measures for study B……………………………………..……………………….200
xvi
Table 6.3 Five (5) scale mapping……………………………………..………………………………….208
Table 6.4 Three (3) scale mapping……………………………………..………………………………...208
Table 6.5 Membership function for crisp probability value……..………………………………………210
Table 6.6 Truth table for risk control options for studies A and B obtained from experts………………211
Table 6.7 Result for study A……………………………………..………………………………………212
Table 6.8 Results for study B……………………………………..……………………………………...212
xvii
List of Figures
Figure 1.1 Research methodology…..………………...….……………………………….……….………..5
Figure 2.1 Breakdown of specification accuracy factors…………………….……………….…...………22
Figure 2.2 Top level dry dock specification……..…..…………………………………………………….23
Figure 2.3 Overview on the application of FSA ……..…..……...……………………………….……….36
Figure 2.4 General look at authorities that can apply FSA..………………….………………....………...37
Figure 2.5 Fault tree of system failure……………………………..…….………………...……………...44
Figure 2.6 BN translated for further analysis …………………………………………..…..……………..44
Figure 2.7 CPT for a simple BN structure………………………………………………………………...46
Figure 2.8 CPT for Engine, coolant hose and oil pump…………………………………………………...47
Figure 2.9 The schematic of belief structure FIS………………………………………………………….55
Figure 2.10 An overview of the safety model for risk using a fuzzy rule base approach………………....57
Figure 3.1 Overview of dock……………………………………………………………………………...69
Figure 3.2 Modelling process……………………………………………………………………………..69
Figure 3.3 Mother model………………………………………………………………………………….70
Figure 3.4 Docking and undocking evolution…………………………………………………………….71
Figure 3.5 Flow chart for hazard identification…………………………………………………………...80
Figure 3.6 Risk assessment flow chart…………………………………………………………………….82
Figure 3.7 Application of RCO and outcome……………………………………………………………..83
Figure 3.8 FTA results obtained from fall from height due to scaffold…………………………………..99
Figure 3.9 Results showing the unavailability (Q) of event fall from height……………………………100
Figure 3.10 FTA of 15%RCO improvement……………………………………………………………..102
Figure 3.11 FTA of 85%RCO2 improvement……………………………………………………………103
Figure 3.12 FTA of 40%RCO3 improvement……………………………………………………………104
Figure 3.13 FTA of 35%RCO3 improvement……………………………………………………………105
Figure 4.1 Flow chart of the development of study…….………………………………………………..109
Figure 4.2 General arrangement of a sliding gate in Birkenhead, UK….……………………….……….114
xviii
Figure 4.3 Dock gate chamber of the dry dock no. 10, Marseilles, France.……….…………………….116
Figure 4.4 Cross-section of the dock gate….………………………………………….…………………117
Figure 4.5 Sealing system….……………………………………………………….……………………117
Figure 4.6 Mapping FT to BN.…………………………………………………………………………..119
Figure 4.7 The ‘OR’ and ‘AND’ gate in FT and BN.……………………………………………………119
Figure 4.8 Dry dock gate construction….………………………………………………………………..122
Figure 4.9 Functional analysis of gate failure….………………………………………………………...122
Figure 4.10 Fault tree of DDGF…………….……………………………………………………………124
Figure 4.11 Bayesian conversion mapping diagram of DDGF…….…………………………………….124
Figure 4.12 DDFE top event 85% when event E12 fails 100%.................................................................125
Figure 4.13 Flow Chart for FT-BN transformation…….………………………………………………..126
Figure 4.14 Typical BN risk assessment….……………………………………………………………...128
Figure 4.15 Typical qualitative BN fragment of a graving dock gate.…………………………………..129
Figure 4.16 WMEAN function for U1, given V1, V2, and V3….………………………………………133
Figure 4.17 WMIN function for U1…….………………………………………………………………..135
Figure 4.18 Declaring a rank weight expression for a node in AgenaRisk..……………………………..135
Figure 4.19 Functional list for sliding dry dock gate failure mode……………………….……………...138
Figure 4.20 FT-BN sliding dry dock gate failure mode….………………………………………...…….142
Figure 4.21 Expert input evidence for parent node V1……….………………………………………….145
Figure 4.22 The wizard to insert weight of experts and uncertainty….………………………………….146
Figure 4.23 BN model for Parent U1-U8……….………………………………………………………..148
Figure 4.24 System failure (SF) probability…….……………………………………………………….148
Figure 4.25 Result when dry dock gate fails…….……………………………………………………….149
Figure 4.26 Tornado graph showing sensitivity analysis….……………………………………………..149
Figure 5.1 Flow chart of the development of the study.……………………………………………...….154
Figure 5.2 A generic dry dock safety assessment and synthesis framework…….……………..……..…161
Figure 5.3 Fuzzy rule base approach…..………..……..…..……...……………………………….……..162
xix
Figure 5.4 Flowchart of proposed fuzzy rule base safety modelling methodology………....…………...163
Figure 5.5 Comparison of panels…….………………..……………………………………………...….173
Figure 5.6 Bending moment diagram buoyancy less than load…….…………………………..……..…174
Figure 5.7 Bending moment diagram buoyancy equals load…..………..………………….……………175
Figure 5.8 Distribution of buoyancy….……………………………………………………………….....176
Figure 5.9 Pontoon deck failure model….……………………………………………………………….178
Figure 5.10 Fault tree diagram of pontoon deck failure..………………………………………………...182
Figure 5.11 B19 rules combination…...………………………………………………………………….184
Figure 5.12 B12 rules combination..….………………………………………………………………….185
Figure 5.13 B1 rules combination..…….………………………………………………………………...186
Figure 5.14 project options….…………………………………………………………………………...187
Figure 5.15 TE graphical result…………………………………………………………………………..188
Figure 5.16 TE result summary…..….………………………………………….………………………..188
Figure 6.1 Flow chart of the development of the study….…………………………………………...….193
Figure 6.2 Formal safety assessment showing cost-benefit assessment…....…………………..……..…198
Figure 6.3 Factors affecting cost-effectiveness…….……..……....……………………………….……..202
Figure 6.4 Cost-effective BN framework…..……………………………………...………...…………...206
Figure 6.5 Net expected benefit of implementing RCOA2, Result No. 2……….…..…………………..212
Figure 6.6 Target node and sensitive node selection.……………………………………………………213
Figure 6.7 Sensitivity analysis using RCOC3…………….……………………………………….……..214
Figure 6.8 Sensitivity analysis using RCO4A…..…………………………………………...…………...214
Figure 7.1 Dry dock formal safety assessment process….……………………………….……….……..217
Figure 7.2 Risk assessment and cost benefit analysis framework….…………………….....…………...218
xx
Abbreviations
BN Bayesian Network
BRB Belief Rule Base
BRBI Belief Rule Base Inference
BSL Bureau of Statistic of Labour
CAF Cost of Averting a Fatality
CB Cost Benefit
CPD Conditional Probability Distribution
CPT Conditional Probability Table
CS Consequence Severity
DST Demspter-Shafer Theory
ER Evidential Reasoning
FCP Failure Consequence Probability
FDST Fuzzy Dempster-Shafer theory
FL Failure Likelihood
FIS Fuzzy Inference System
FMEA Failure Modes and Effects Analysis
FRBS Fuzzy Rule Base System
FSA Formal Safety Assessment
FST Fuzzy Set Theory
HSE Health Safety Executive
ILO International Labour organisation
IMO International Maritime Organisation
IAEA International Atomic Energy Agency
MSC Maritime Security Council
NPT Node Probability Table
OHS Occupational Health and Safety
OSHD Occupational Safety and Health Division
RCO Risk Control Option
RINA Royal Institute of Naval Architects
1
Chapter 1 – Introduction
Summary
This chapter first introduces the key information used in this research. The research aim and
objectives are then defined, followed by the background analysis. Following on, the challenges
of conducting the research, research methodology and scope of the thesis are demonstrated.
Finally, the structure of the overall thesis is given.
1.1 Background Analysis
Shipbuilding and repair is an extremely complex business, which means a significant number
of tasks must be performed in parallel. The handling and processing of steel through the
production process requires the greatest amount of facilities and space in shipyards (Baris,
2012). In such large organisations, processes often depend on complex and distributed
interactions between human operators and technical systems, which are intensive and regulated
by procedures (Sybert et al., 2008). This has contributed to high risk and fatalities. Therefore,
there is a need to introduce risk based decision making to optimise resources.
Based on the United State of America Bureau of Statistics, shipyards remain one of the riskiest
workplaces in the Some 115 fatalities and 1620 reported accidents were registered in Turkish
Shipyards alone, between the period of the year 2000 and 2010, 3.5 times the average of all
industry groups (Baris, 2012). The result from this finding shows five major typical accidents
at shipyards in order of occurrence as: falling from a height; exposed to electric shock; fire/and
or explosion; being struck by or stricking against objects; and caught in between objects.
From a safety assessment point of view, determinants of the complexity of the organisation
under study are stated as (Sybert et al., 2012): (1) The number and types of entities in the
organisation (human roles, technical systems); (2) The number and types of interdependencies
between entities in the organisation; (3) The number and types of hazards in the organization
i.e. situations/conditions that potentially affect the level of safety; (4) The amount of data
available for hazard analysis, and risk control. Perrow (1984) argues that the results of growing
complexity of socio-technical systems and human inability to understand and control these
accidents should be considered as natural occurrences rather than abnormal phenomena.
Hollnagel (2004) builds further on the notion that accidents are normal occurrences and stresses
the role of performance variability from the origin of accidents. In dry docking (bringing a
ship for repair out of water), there exist some challenges and fatal accidents reports as well.
Notably, on March, 27, 2002 at Dubai Dock No 2 (one of the world’s largest ship repair
2
facilities) ‘gate failure’ caused uncontrolled flooding of the dock leaving 21 people dead (Paul,
2011).
This incident and others have raised safety concerns in the operation and safety management
assessment in shipyards especially dry docking operations. This has been the challenge in
respect to shipbuilding and repair system safety standing out as being complex and uncertain.
The adoption of the formal safety assessment (FSA) concept will be used to solve existing
gaps. Existing gaps within the framework include the lack of experts to carry out a proactive
risk based approach to deal with accidents and eliminate its occurrence from its origin as
Hollnagel (2004) states.
There has been a high level of uncertainty in historical failure data, which shall be addressed
in this study, by using novel subjective approaches (Chiou, 1995). The inherent uncertainty can
be caused by imperfect understanding of the domain, incomplete knowledge of the state of the
domain at the time where a given task is to be performed, randomness in the mechanisms
governing the behaviour of the domain, and/or the combination of these (Eleye-Datubo et al.,
2006).
FSA, a process of identifying hazards, evaluating risks and deciding on an appropriate course
of action to manage this risk in a cost-effective manner, shall be used in this study (Trbojevic
and Carr, 1997). This methodology has relevant published applications in the maritime field
with successful impact (Wang and Foinikis, 2001; Hu et al., 2007; Lee et al., 2001). It consists
of 5 steps (Hu et al., 2007) : hazard identification, risk assessment, risk control options, cost
benefit assessments and decision making. In this study, sequential accidents shall be analysed
for safety assessment of docking vessels with failure models. A novel decision making
technique will be developed for selecting the best risk control options (RCOs) in dry docking
operations.
1.2 Research Aims and Objectives
The aim of this work is to develop a new safety assessment methodology for dry docking
operations to enable the identification and prioritisation of dry docks hazards, for the
quantitative analysis of the associated risks and rational decision of selecting the best control
options. The objectives developed to achieve this aim are as follows:
1. To develop qualitative frameworks for representing relationships of components and
subsystems of dry docking operation and systems;
3
2. To develop new risk assessment approaches supporting the novel quantitative method
using Fault Tree Analysis (FTA) and FSA.
3. To develop novel models for hazard identification and risk analysis in dry docking
under uncertainty using fuzzy set, Bayesian network (BN), and evidential reasoning
(ER);
4. To apply fuzzy Truncated Normal ranked nodes Bayesian network in multi attribute
group decision making for cost/benefit assessment of RCOs in dry docking operations;
5. To identify software packages based on the applications of the above models in real
cases in order to demonstrate their applicability and feasibility.
1.3 Challenges in Conducting this Research
Floating and graving dry dock failure data are scarce or incomplete; as such the uncertainty
associated with docking and undocking evolution problems may significantly undermine the
risk assessment conducted based on traditional risk assessment techniques. In order to deal
with these, novel risk assessment techniques have to be developed and applied as part of this
work.
These novel uncertainty treatment methods should be capable of providing satisfactory results.
The first challenge under uncertainty comes when risk estimation is conducted for the identified
hazards. Hazard identification is normally carried out by employing traditional hazard
identification techniques such as preliminary hazard analysis (PHA) and, hazard and
operability study (HAZOP).
Hazard identification and risk estimation can also be conducted by utilising techniques such as
FTA and event tree analysis (ETA). However, due to high levels of uncertainty related to
docking and undocking evolution problems, such techniques may be unsuitable; therefore the
solution is achieved by developing a novel approach with the combination of fuzzy set theory,
evidential reasoning, and Bayesian networks.
The second challenge is associated with decision making based on risk estimation results under
a high level of uncertainty. The problem becomes more complex if interval data has to be taken
into account. Interval data increases the complexity of criteria aggregation which further
increases the complexity of the problem.
It should be noted that when the complexity of a problem increases, uncertainty will be further
increased. These problems can be solved and decision making conducted by combining fault
4
tree (FT), BN, fuzzy rule base and ER. The third challenge under uncertainty arises when risk
control options are chosen for identified areas of high risk estimation.
The five steps of the FSA framework (hazard identification, risk estimation, risk control options
selection, cost benefit assessment and decision making) can be facilitated to deal with docking
and undocking evolution risk analysis problems by developing the above mentioned four
subjective fuzzy modelling based approaches with a combination of various uncertainty
treatment methods. Expert judgement plays a vital role in this subjective assessment. The
uncertainty which comes from the lack of data is recognised as the major challenge of
conducting this research.
There is also the challenge of validating the generic models developed in each technical
chapter. These are all novel models in an area where no conceptual scientific risk assessment
work has been done so far. However, this challenge is partially met by applying these models
to real floating and graving dry docks.
1.4 Research Methodology and Scope of Thesis
The main research methodology of this thesis is based on risk assessment conducted under the
safety principles of FSA. As described in the previous sections it is achieved by using the four
core technical chapters of this thesis. The main methodology is outlined in the following
sections. In this research, the FSA method adaptation for risk control in floating-graving
docking operations is investigated.
Research on the application of FSA to prevent hazards or failures in these systems is rare. So
far, the safety assessment approach for risk analysis in certain identified hazards in floating-
graving dock operations has arrived at some conclusions. Nonetheless, the key element for
reaching adequate results is gaining suitable data. Often, intelligent building domain data are
collected as a linguistic variable. Then they are processed into numerical data with some errors.
But even if data are hard to obtain and vary a lot with time, the FSA method based on fuzzy set
theory, Bayesian network, and evidential reasoning helps to get an acceptable outcome, has
great tolerance and is insensitive to errors made in swapping linguistic into numerical data,
which is the biggest problem in such domains of research (Mikulik and Zadjel, 2009).
The FSA management process in dry dock is an enhancement of the traditional safety
management process in that the three fundamental components – surveillance, periodic dry
dock safety reviews, and maintenance procedures – are central to the procedure. Together they
5
permit informed decision making concerning the manner in which the risks are being
controlled. The purpose of this section is to provide an overview of the various aspects of the
dry dock formal safety assessment management framework in line with the outcome of this
PhD research. A comprehensive framework is illustrated in Figure 1.1.
Figure 1.1: Research Methodology
1.4.1 Introduction and literature review
The significance of carrying out an analytic literature review is crucial for the success of this
study. It is the first step for conducting this research. Examination is focused on ship repairing
systems and risk analysis methods. Relevant conference papers, journals, books, websites will
be identified. Priority, however, shall be given to the latest work. Greater attention will be paid
to various ‘risk based’ and ‘proactive’ risk assessments, to tackle the objective of this work.
1.4.2 Fault tree –formal safety assessment in dry docking evolution
The relevance of the methodology of FSA has been proven in marine and offshore systems
such as fishing vessels, ports, marine transportation, offshore support vessels, containerships,
LNG ships, ship hull vibration, crushing ships, liner shipping, high speed crafts, oil tankers,
trail studies of passenger roll on/roll off (roro) vessels with dangerous goods and bulk carriers
(Nwaoha et al., 2012). By applying the FSA methodology, a new risk analysis framework in
the ship repairing industry is outlined below: (1) Hazard identification - The first step is the
foundation of FSA. It is to identify hazards in dry docks. Hazard is a physical situation or
condition with the potential for human injury, damage to property and/or environment. In a dry
Evaluation
Existing gaps
Performance goal
Uncertain
Risk assessment
outcome under
uncertainty:
Justification of method
Case study application
Cost benefit (CB)
analysis outcome:
Use outcome from
Chapter 4 and 5 for CB analysis
Chapter 1 & 2
PhD Objective
PhD Literature Review
Study Analysis
Surveillance
Dry dock safety reviews
Chapter 3
FT-FSA application in
dry docking system
Step 2
Select appropriate method and justification
Chapter 4 & 5
FT-BN for risk assessment
Fuzzy rule base - ER
Chapter 6
Cost benefit
assessment
Does dry dock meet performance?
6
dock system, historical data and expert judgement using a brain storming technique are used to
identify hazards. Experts are drawn from dry docking design, operations and management.
The FTA approach is used to determine hazards, possible causes and outcomes of each accident
category deductively; (2) Risk assessment - The second step is risk assessment. It is to identify
the distribution of risk, thereby focusing on high risk areas that need to be controlled. Risk
assessment is a comprehensive estimation of the probability and the degree of the possible
consequence in a hazardous situation in order to select appropriate safety measures. In this step,
risks associated with the identified hazards of dry docks system in step 1, are evaluated to
determine their significance. This step provides qualitative and/or quantitative information to
decision makers. Many new quantitative risk analysis models will be developed to tackle the
inherent uncertainties in this work; (3) RCOs are developed based on results from step 2. The
purpose of this third step is to propose effective and practical RCOs comprising of, focusing
on risk areas needing control, identifying potential risk control measures (RCMs), evaluating
the effectiveness of the RCMs and grouping RCMs into practical regulatory options.
Again, appropriate interviews will be carried out to develop RCOs; (4) Cost benefit assessment
- The fourth step is to identify and quantify the cost to be paid and benefit to be expected when
each RCO developed is implemented (Lee et al., 2001). Each RCO is evaluated in terms of
cost implementation and then by deriving its associated cost per unit reduction in risk (CURR);
(5) Decision making- The final step is safety recommendations in dry dock presented in an
auditable and traceable manner to relevant decision makers. These recommendations are based
upon comparison and the cost benefit analysis of RCOs. A new multi-attribute decision making
model will be established in this step.
Many quantitative analyses are required in Steps 1 and 2. Fault Tree Analysis (FTA) is used in
these steps to provide the inputs for steps 3, 4, and 5 in dry dock safety assessment. However,
challenges of using FSA in dry dock safety assessment are: (1) Gathering enough materials
from experts; (2) Quantitative analysis needs the support of various databases; (3) Field
measures requires a significant period of time for statistical collection. To overcome these
challenges, databases shall be widened to include the following; Marine Accident and
Investigation Database (MAID) UK, Shipbuilders Council of America, National Shipbuilding
Research Program, American Shipbuilding Association, Occupational Safety and Health
Administration UK, Shipyard Workers Union of Turkey, Chamber of Turkish Naval Architects
and Marine Engineers, International Dry Dock Accidents and Registration.
7
FTA on the other hand, is a very popular and diffused technique for modelling and evaluation
of large, safety and critical systems. Henley et al. (1995) carried out a diffused analysis on
dependability modelling using FSA. It is a deductive analysis, starting with potential or actual
failures and deducing their causes (Chris et al., 2012). Root causes of failures frequently have
to be inferred from multiple indirect observations. Fault trees are intended for reliability and
fault analysis rather than diagnostic observation (Wojtek and Milford, 2006).
FTA has wide application in system safety engineering such as security design, risk assessment,
and the management of safety critical projects (Zhuang et al., 2011). FTA shall be undertaken
for preliminary safety analysis, especially the qualitative analysis of identifying the root causes
for the development of RCOs. FTA is an effective methodology in the safety analysis of
system; it also has some deficiencies especially when being used in complex engineering
systems such as dry docking. These disadvantages include (Hu et al., 1995); (a) Events in FT
are assumed to have only two states, namely working or failure, but in actual engineering some
events are polymorphic; (b) Events in FT are assumed independent, but actually some of them
may have interdependent relations.
1.4.3 An advanced Fault Tree-Bayesian Networking approach for risk analysis
The combination of these two approaches, has been reported in aerospace and manufacturing
industries (Zhuang et al., 2011). BN is an approach to deal with intrinsic drawbacks in FTA.
This method is based on uncertainty treatment theory. It is usually grouped under uncertain
categories like fuzzy logic, Markov models, artificial neural networks, Monte Carlo simulation,
grey theory, and Dempster-Shafer theory (Yang et al., 2005).
BN has great ability in modelling randomness and capturing nonlinear causal relationships.
This potential has increased its popularity in recent years. Yang et al. (2008) states that it is ‘a
powerful risk analysis tool,’ because it can be used in a range of real applications concerned
with predicting properties of safety critical systems. The most important step is to map FT to
BN. Every FT can be mapped to its corresponding BN. Mapping steps used in this study may
refer to He and Tao (2011): (1) Create a root node in the BN for each basic event of the FT,
and merge the same basic event appearing many times in the FT into one root node in the BN;
(2) Assign the root nodes of BN the prior probabilities corresponding to the basic events of FT;
(3) Create the corresponding node in BN for each logical gate of FT, and use directed arcs to
connect these nodes in order to indicate the relationships between them; (4) Assign the nodes
in BN the conditional probabilities for the corresponding logical gates of FT. The advantage of
8
using FT-BN is highlighted in its application to the safety of critical systems such as aircraft
(Jiye et al. 2011), vessels (Zhuang et al. (2011), and software development (Chris and Kernel,
2012).
A novel conversion approach is proposed, consisting of 15 steps, for FT-BN mapping analysis
in failure analysis of dry docking. These steps include: gather information, develop FT of dock
failure, assigning of occurrence probability of basic events, calculate minimum cut sets,
calculate prior probability of top events, mapping fault tree to Bayesian network (4 steps),
establishing nodes with dependency, create conditional probability table (CPT) and prior
probabilities for each node, normalise probability propagate evidence, and calculate posterior
probability.
Consequently, the common uncertainty issue associated with partial dependence among FT
events can be appropriately tackled in dry docking safety analysis. A common criticism of the
Bayesian approach is that it requires too much information in the form of prior probabilities,
and that this information is difficult or impossible to obtain in risk assessment (Yang et al.,
2008).
Again, the BN approach is based on probability theory; it aggregates data without
differentiating aleatory and epistemic uncertainties. Moreover, it requires a priori information
which sometimes limits its application to updating existing information (Sadiq et al., 2006).
Lastly, a BN approach may not properly aggregate multi-expert knowledge where and when it
is required. Fuzzy evidence theory addresses these issues effectively and is able to combine
conflicts through a belief structure (Lefevre et al., 2002; Bae et al., 2004; Saliq et al., 2006).
1.4.4 Fuzzy rule base with belief degree for risk analysis in dry docking evolution
The success of FSA depends on how practical solutions are provided for decision making under
uncertainty in dry docking operations. Fuzzy evidential reasoning (FER) capable of dealing
with uncertainty can be used either as a stand-alone method or combined as a part of an FSA
methodology (Godaliyadde et al., 2009).
The main focus of this thesis is to use fuzzy theory and evidence theory approaches, to deal
with linguistic/subjective uncertainties of event probabilities, and the latter is used to handle
incomplete/partial ignorance of expert knowledge (Ferdous et al., 2009). The FER approach in
assessing terrorists attacking ports (Yang et al., 2005) and for risk control of a liquefied natural
gas carrier (Nwaoha et al., 2011) has been tested to yield good results. Yang et al. (2005)
9
highlighted the advantage of using the FER method to deal with those threat-based risks, which
are more ubiquitous and uncertain, than hazard-based risks in supply chains. Another
advantage is presented by Wang (2000), as a subjective modelling tool, applied to formal ship
safety assessment. The richness of the FER algorithm is also reported in several other maritime
risk and safety assessment studies (Wang et al., 1995 and Wang, 1997).
Fuzzy sets and evidence theory have proven effective and efficient in handing uncertainties in
data, especially data unavailability and incompleteness (Cheng, 2000; Sentz and Ferson, 2002;
Wilcox and Ayyub, 2003; Bae et al., 2004; Ayyub and Klir, 2006). Using this method in dry
dock operation, FER is capable of combining uncertain evaluations of failure mode level and
implementing hierarchical propagation of evaluations between different levels’ of operations.
To demonstrate the applicability of these approaches in risk assessment in dry docks, a case
study for ‘dry dock gate failure’ will be revisited.
A fuzzy rule based system with final evidential aggregation is proposed for risk analysis in
floating dry dock. Accidents involving transverse bending failures of dry dock pontoons are
presented. Fuzzy rule based systems are one of the most popular approaches for representing
the knowledge because of some of their unique characteristics. The simplicity of analysis of
complex systems and modelling the nonlinear relationships of the input-output in the realm of
fuzzy inferences system (FIS) are some of the promising features (Aminravan et al., 2011).
A general structure of rule-based belief functions for knowledge representation was presented
by Eddy and Pei (1986). Most of the suggested belief rule based systems use evidential
reasoning algorithms to aggregate the uncertain knowledge presented on belief structures
(Aminravan et al., 2011). Amongst all evidential reasoning methods, the Dempster-Shafer
theory (DST) (Dempster, 1967 and Shafer, 1976) provided a framework for handling
granularity, non-specificity and conflict and was successfully used in different applications.To
date, several evidential reasoning algorithms using distributed modelling framework based on
DST have been introduced (Yang and Singh, 1994 and Smets, 2007).
The advantage of using this approach in this thesis is that fuzzy rule based systems (FRBS)
have the capability to model and interpret vague information in a linguistic environment. FRBs
have found a wide variety of applications in various engineering problems.
10
1.4.5 Risk control options and cost benefit analysis for docking operation
A robust method for evaluating the cost-effectiveness (CE) of risk control options (RCOs)
analysis proposed in the outcome of risk analysis is required. However, the deficiencies of
current CE methods are highlighted, undermining the lucidity and consistency in application.
The proposed approach outlines a subjective mathematical formulation that neatly integrates
all aspects of CE measures along with its application based on the ranked nodes with Truncated
Normal distribution Bayesian network. This method is used in FSA for docking and undocking
evolution demonstrating the ease of the application and clarity of results interpretation.
FSA forms the basis for decision making towards mitigation of risk. The latter is done through
determination of RCOs ranking them according to impact on risk and cost, and provision of
recommendations as to which RCOs are most sensible. Major FSAs submitted to the
International Maritime Organisation (IMO), encompassing different ship types such as LNG
carriers, container vessels, and roll-on-roll off passenger vessels, identified a number of RCOs
for each ships (Puisa and Vassalos, 2012).
1.5 Structure of the Thesis
This thesis is composed of eight chapters, with Chapters 3, 4, 5, 6 and 7 being highlighted as
its core. The titles of the eight chapters are summarised in Table 1.1.
Table 1.1: Summary of Chapters in Thesis
Chapter
No.
Title
1 Introduction
2 Literature Review
3 Fault tree-Formal Safety Assessment in Dry Docking Evolution
4 Fault tree-Bayesian Network for Graving Dock Gate Failure Analysis
5 Fuzzy Rule Based with Belief Degree for Structural Failure of Floating Dry Dock Pontoon
6 Risk Control Options and Cost Benefit Analysis of Dry Docking Evolution
7 Integration of the Developed Methods
8 Conclusion
Definitions of typical terms is listed in Appendix 1.
One publication arising from this research is listed in Appendix 2
11
Chapter 2 – Literature Review
Summary
The literature review conducted in this chapter is broad. It includes a review of standards and
regulations of dry docking a vessel, historical failure analysis, a critical review of floating and
graving dry dock industry, introduction of Formal Safety Assessment (FSA), a critical review
of marine risk assessment, and justification of the research. Generally, this chapter gives an
overview of the current status related to dry docking and undocking evolution problems. The
fundamental aspects and benefits of FSA approaches to dry dock safety are described. The
guiding principles of the application of a FSA framework for risk-based dry dock safety
surveillance, periodic dry dock safety reviews, and the operations procedures are outlined. The
critical review of traditional and novel risk assessment is conducted to select the most suitable
techniques for conducting risk assessment, identify risk control options and conduct a cost
benefit assessment based on the safety principles of FSA. Finally, justification of the research
is discussed. Though the focus of this work is the safety of existing dry dock systems, the
concepts are equally applicable to the design of new ones.
2.1 Introduction
Operating shipping fleets requires professional organisations to execute various processes in
terms of administrative, technical, and operational matters (Celik and Er, 2006). Performing
docking operations – which are the biggest logistical and planning issue in the context of
planned ship maintenance programmes – is one of the critical processes for ship managers
under the control of technical and operational divisions (Celik and Er, 2006).
In general, shipyards have specialised workshops and spaces such as mechanical, electrical,
steel sandblasting, docking, painting, and others. Routine docking works such as washing, grit
blasting, coating, sea chest cleaning, proper dismantling, polishing, controlling of tail shaft and
stern tube seals can be listed as the main facilities during a docking period (Celik et al., 2009).
The shipping firm’s roles in the docking process begins with planning the time, period and
concept of the work and finishes with the trial voyage and completing the required tests of the
systems at the end of the whole process.
The selection of a suitable shipyard with respect to many criteria such as ship position,
reputability of shipyard organisation, previous experiences of yards, size of required work,
12
limitations of shipyard, equipment capacity of yard, etc., is needed, and a wide range of market
surveys and a detailed analysis are required to make the final decision (DSC, 2013). A shipyard
organisation with a well-designed docking system which adapts the required technology into
the whole process can manage to perform this process in both a safe and efficient manner. From
the viewpoint of shipyard organisational safety, the facilities of design, construction, and
docking process should be well organised for the application of FSA to satisfy customer
expectations and prevent conflicts after unexpected accidents.
An important change in the dry docking industry is the application of FSA. In the middle of
the 1990s, in order to promote and improve maritime safety, the International Maritime
Organisation (IMO) adopted FSA, which was initially put forward by the Maritime and
Coastguard Agency (MCA) at the 62nd meeting of the Maritime Safety Committee (MSC),
which introduced FSA to the marine industry and put it into use, and asked its members to be
actively involved in the research on ship safety (Fang et al., 2004). FSA is a systematic formal
and integral assessment approach.
The purpose of the application of this method in the safe management of dry docking evolution,
ship design, and shipping is to use the five-step procedure of FSA to conduct an overall analysis
of dry dock design, inspection, operation, and maintenance, etc., thus enhancing maritime
safety. FSA can be used as a tool to improve measures and regulations or to make new ones on
the basis of the analysis of current dry dock designs and engineering techniques, of ship
docking operation and control, standards and regulations of safe management, together with
the combination of realistic needs (Wang, 2001). FSA has changed the traditional reactive
regulatory framework towards a risk-based and goal-setting regime. Risk assessment and cost-
benefit analysis are carried out to complete FSA.
The application of traditional methods of risk assessment may prove difficult when faced with
new hazards and uncertainty. Novel approaches and techniques towards risk assessment are
required in order to deal with such problems. In this chapter, a critical review of floating-
graving dock is conducted to determine the current status of docking problems. A background
study is carried out on a floating-graving docking system, highlighting its layout, trends, and
factors affecting the selection of a dry dock system. The ship docking specification is also
reviewed and the corresponding standards and regulations of floating-graving docks are
presented. Following this, an introduction to FSA and a critical review of the marine risk
assessment are given. Finally, a justification for this research is presented.
13
2.2 Review of Failures in Floating-Graving Docking System
Dry or graving docks are used to enable the ship’s bottom and underwater fittings to be
inspected and worked on (Tupper, 2013). They normally consist of a basin dug into the shore
of a body of water and provided with a watertight gate on the waterside, used for major repairs
and overhaul of vessels. When a ship is to be docked, the dry dock is flooded, and the gate
opened. After the vessel is brought in, positioned properly and guyed, the gate is closed and
the dock is pumped dry, bringing the craft gradually to rest on supporting keel and bilge blocks
anchored to the floor (Cheng et al., 2004).
A floating dock on the other hand usually takes the form of a U-shaped box structure with side
walls mounted on a base pontoon. A large part of the structure is devoted to ballast tanks which
are free flooded to sink the dock. The dock, with the ship, is then raised by carefully controlled
pumping-out of the ballast tanks. The sequence of pumping is such as to limit the longitudinal
deflection of the dock (and hence the ship in it) to avoid undue longitudinal bending moments
(Tupper, 2013). Besides undue longitudinal bending moment is the positioning and stiffness
allocation of docking blocks, which are important decisions when docking a ship because mis-
positioning or mis-allocation of docking blocks may give rise to unreasonably large block
reactions and consequently serious damage to both the docked ship and blocks. Docking block
failures may also cause the disruption of docking schedules and an extension of ship downtime.
Any failure may lead to the loss of lives (Cheng et al., 2004).
Marine dry docks have been subject to study and research from several points of view such as
environmental, hydrodynamic design and construction (Najafi-Jilani and Naghavi, 2009).
Likewise, docking analysis has attracted the attention of various researchers. Jiang et al. (1987)
developed a reliable, efficient computer program for predicting block reactions in both graving
and floating docking analyses. Cheng and Zeng (1995) proposed a mathematical model for
optimising the positioning and allocation of docking blocks which ignored potential
uncertainties in their design. Two-level optimisation techniques were employed to solve the
optimal solution in their study. Cheng et al. (2004) proposed the convex model (mathematical
model) in which the indeterminacy about the uncertainty variables in designing docking blocks
is presented. Numerical examples were used to show that uncertainties affecting the optimal
solution can lead to an increase in volume of blocks compared to deterministic optimisation.
Technical considerations and investigations on docking facilities are discussed within various
studies in the literature such as strength analysis of floating docks (Cheng et al., 2004), robust
14
design of docking blocks (Cheng et al., 2004), predicting dry dock block reactions (Taravella,
2005), and other related research. On the other hand, computer integrated supply chain
management (Chrysoolouris et al., 2004), integrating lean model for repair and maintenance
(Verma and Ghadmode, 2004) and work flow cost model of repairing activities (McDevitt et
al., 2005) are seen in the literature as ongoing research regarding the planning and
implementation process of docking facilities in shipyards. A fuzzy axiomatic design-based
performance evaluation model for docking facilities was proposed by Celik et al. (2009), with
the goal of overcoming the selection problem with respect to several criteria to find the most
suitable shipyard. The effects of dry docks on marine hydrodynamics are mainly related to the
significant amounts of pollutants which build up over dry dock surfaces because of intensive
industry activity (Akan et al., 2000, and Kretzschmar, 2000).
The construction of dry docks is a complex procedure which needs a scientifically integrated
management technology (Kumanoto et al., 1990). Special design concerns are considered for
a dry dock with marginal wharf surface (Thibeaux et al., 2004, and Arroyo et al., 2002) and
also in the control of dry dock operations (Regan et al., 2007). A special loading pattern exists
on dry docks due to uplift pressures (Kinner and Stimpson, 1983) and the interaction of marine
hydrodynamics and structures has also been researched (Fernades and Correia, 1986, Lai and
Lee, 1989, Shugar et al., 1991, and Cheng et al., 2002).
Another concern in the design of dry docks is the total time required to fill them with water
(JLARC, 2006). The filling time depends mainly on the specifications of a flooding system
which is generally operated by gravity. The main components of the flooding system such as
an intake channel and guide walls are generally extremely complex. Also, the interaction of
dry docks and marine hydrodynamics and sedimentation is also a major issue in design
(Seelam, 2008). Najafi-Jilani and Naghavi (2009) insisted on the necessity to investigate the
hydrodynamic behaviours of dry docks, the flow patterns, and the efficiencies of the flooding
system using the numerical method as a proposed method to analyse the flow through the
flooding system.
The maintenance and safety certification of graving dry docks is essential in supporting fleet
operation and readiness. Wu et al. (1990) proposed stability analysis and displacement
measures of graving dry dock walls using distance measuring instruction. Periodic docking
facilities can be recognised as the biggest logistical issue in the content of ship maintenance
programmes and are the critical process from the viewpoint of ship-owners. Since the
15
relationship between ship management and shipyard continues during the life cycle of
operating ships, it is required to have a well-planned and organised system (Celik et al., 2009).
In this new era, new safety rules place new demands on ship operators and dry dock operators
to increase the quality of floating-graving dry dock operations and improve safety (Inozu and
Radovic, 2002).
Docking ships are potentially hazardous operations as the ship passes between the dry and
waterborne conditions. A ship may run aground either due to human error in navigation, due
to obstacles not recorded on charts, or due to the failure of the ship’s control systems (Tupper,
2013). It is therefore important that they are studied in some depth (Tupper, 2013). Although
docking is now less frequent because hull coatings to reduce corrosion remain for longer, and
although more can be achieved in the way of repairs with a vessel still afloat, the docking
industry remains vital in the economy of the shipping industry (Tupper, 2013). Since it is
planned to make an evaluation from the viewpoint of shipyard-owners, this research focuses
on expectations and execution activities of the technical and operational departments of ship
management companies regarding the docking process by implementing FSA. However,
uncertainties in material, geometric properties, loads etc., are unavoidable in the design of
engineering structures such as floating-graving docks.
2.3 Floating-Graving Docking Systems
Dry docks are structures that allow complete dry access to a vessel for maintenance, overhaul,
and repairs, or for new construction and launching. They are the workhorses of ship repair
facilities and may be used in lieu of traditional building ways at shipyards devoted to new
construction. There are various types of dry docks, including those that physically lift the ship
from the water such as floating dry docks, marine railways, and vertical-lift systems, and
traditional basin dry docks that dewater an enclosed space around the vessel (Becth and Heger,
2006). Only floating and graving dry docks are considered in this research. This section is
intended as an introduction to floating and graving dry docks and their basic principles of
design and operation.
2.3.1 Shipbuilding and ship repair yards
Shipyards are industrial plants located in suitable water areas such as a harbour basin, a bay or
a river, for building, repair and maintenance of ships. They are generally classified as
shipbuilding yards, which produce new ships, and ship repair yards, which are mainly involved
16
in the repair and maintenance of ships. There are also shipyards for both production and repair
of ships (Mazurkiewicz, 1980). Their equipment will depend on the prevailing type of
production. Thus, in ship repair yards, shipbuilding will be of secondary importance, simply
providing work for production units during less intensive work periods. Only the ship repair
yard is included in this research. In ship repair, the main criteria are the size and the type of
ships repaired, whether large, medium or small (Harren, 2012).
2.3.2 Background on graving dock
The name ‘graving dock’ derives from the dock’s original action, to permit the cleaning of a
ship’s bottom, a process known as graving. Graving docks are large, fixed bases built into the
ground at the water’s edge (Becth and Heger, 2006). A watertight gate is closed after a vessel
is floated into the dry dock and positioned above the blocking that will support it in the dry
condition. Once the gate and vessel are in position, the water is pumped from the basin, causing
the ship to settle on the blocks, exposing the underbody (Salzer, 1986).
Many construction techniques are used for building graving docks: sheet pile cells filled with
sand, caissons of re-enforced concrete, and monolithic cast concrete, to name a few. The factors
involved in deciding upon a construction technique include initial cost (often traded off against
life expectancy), designer’s or owner’s preference, local influences such as the conditions, and
available materials and skills (Salzer, 1986). When the fixed basin is dewatered, hydrostatic
uplift tends to lift the entire structure from its foundation, causing it to tilt. In the early days of
graving dock design, this tendency was countered by providing an enormous mass of concrete
for its construction. Today’s modern approach uses a relieved floor, whereby uplift is avoided
by installing a draining area system beneath the floor of the dry dock and pumping water away
from contact with the boundaries of the dock (Salzer, 1986).
The dry dock is structurally divided into five parts: the portside wall, the starboard and head
walls, the pump room, the entrance, and the dock bottom. All these parts seal off water
(Kumamoto et al., 1990). There are three categories that relate to the means used to resist the
buoyancy force on the dock resulting from the displacement of water volume of the dock
(Harren, 2012): i.e. full hydrostatic graving dock – relies on its own weight or an anchorage
system to resist the hydrostatic forces acting on the dock; full relieved graving dock does not
have sufficient weight to resist forces acting on the dock, but relies on a drainage system to
remove the surrounding water behind the walls and beneath the slab to alleviate the hydrostatic
17
pressure; partially relieved graving dock. Thus it requires relief of the hydrostatic force under
the floor slab only.
2.3.3 Background on floating dry dock
Floating dry docks are barge-like floating structures with sufficient displacement, dimension,
and stability for physically lifting a vessel from the water. Wing walls are provided on either
side of the barge-like pontoon structure. They provide stability during docking operations and
add to the sectional strength of the dock. They exist in a wide variety of sizes and designs.
Large docks are very complex systems and are designed by professionals who intend to build
structure, utilities, mechanical equipment, blocking and crane configuration (Mazurkiewicz,
1980). They are also operated with list and trim to reduce block loading and reduce or eliminate
vessel stability problems when docking or undocking (Harren, 2012).
Floating dry docks are composed of a pontoon and wing walls. The pontoon is the main
structural component that must be designed to distribute the concentrated blocking loads from
the vessel to the dock and ultimately to the uniform buoyant force on the hull. The pontoon
provides the transverse strength for the dock as well as contributing to the longitudinal strength
(Harren, 2012). Additionally, the pontoon must have sufficient volume to provide displacement
to lift the vessel and dock out of the water with buoyancy. The wing walls provide stability
when the pontoon is submerged, and the longitudinal strength to distribute the ship’s weight to
the uniform buoyancy support (Becth and Heger, 2006). These docks are used mainly for ship
repair work but they can also be used for launching new ships. In modern layouts, floating dry
docks are also equipped with gantry cranes, ensuring greater flexibility during repair or
exchange of large parts of the ship under repair (Salzer, 1986).
2.3.4 Layout of ship repair yards
In floating-graving dock ship repair yards the division of organisational units and their location
on the shipyard area are different from those of shipbuilding yards because of the different
technological processes involved. Generally one can have the following main production
workshops in a repair shipyard: hull repair shops, maintenance and paint shops and repair shops
for ship machinery. All these workshops are usually located close to the quays and docks
(Kumamoto et al., 1990). Hence, four kinds of ship repair yard layout exist: (pier arrangement),
around a basin, on an island, and on a peninsula. Pier arrangement is very useful because it
gives a relatively narrow quay front and very short transport lines. The basin layout results in
18
the least efficient arrangement of workshops because of the extended transport routes and the
necessity for dividing equipment repair shops and machine repair shops into two separate
centres (Mazurkiewicz, 1980).
Ship repair yards cannot afford the simplicity of single purpose equipment or layout but must
be able to cope with any problem and be prepared for any repair job, day and night, from
replacing a hull plate to rebuilding a main engine. The rapid growth in ship dimensions in
recent years has brought about the reorganisation of ship repair facilities and the constant
modification of the layout, mainly as regards size. This has led to the elongation of existing
berths but, at the same time, mooring and docking devices that were too small to use. Existing
cranes were too weak for the increased loads, such as ship engines, while the individual
workshops required a larger area, and larger machine tools and overhead cranes. As a
consequence, ship repairs yards on their original sites were not able to keep pace with demand
(Mazurkiewicz, 1980).
2.3.5 Trends in the ship repairing industry
The dynamic development of the world economy has naturally resulted in the growth of
international and ocean trade; the latter characterised by continuous quality and quantity
changes (Kumamoto et al., 1990). This means that the rate of the world merchant fleet
development is a function of the risk in cargo turnover in ocean trade and of the changes in the
fleet structure (at least in the technical sense) as a direct consequence of the changes in the
structure of international trade. It is quite possible that a certain decline in repair will occur in
the immediate future (Kumamoto et al., 1990).
This does not mean, however, a complete slowdown in the development of international ocean
trade. Technical progress in ship repair will lead to new techniques of cargo handling, and new
freight systems characterised by the increasing efficiency of ships and by decreasing unit costs
for cargo (Mazurkiewicz, 1980). By analysis of trends in international ocean cargo trade and
the future economic development of individual geographical regions and their populations, it
is possible to estimate the sea cargo turnover. Analysis of the world cargo fleet development
finds the following kinds of ships have been distinguished (Mazurkiewicz, 1980): (a) general
cargo ships, container ships, ferries, hover-craft, etc.; (b) ships for dry cargo including the oil-
bulk-ore (OBO) carriers and ore-tankers; (c) tankers for crude oil and oil products and special
tankers for liquefied gas, liquid sulphur carriers, etc.
19
2.3.6 Factors making ship repairing more efficient
Some characteristics and features are desirable for the efficient operation of a dry dock
regardless of type and facility chosen (Becht and Heger, 2003): (1) adequate space is necessary
in and around the dry dock for both the people and material to move to and from a vessel in the
dock; (2) fast and efficient access is needed to and from the dry dock and the vessel in the dry
dock. Access for vehicular traffic is very desirable. The introduction of travelling staging or
dock arms for use in basin and floating dry docks has helped to make ship repairing more
efficient; (3) adequate light and ventilation are necessary to ensure good working conditions;
(4) an efficient method should be provided for moving a vessel in and out of dry dock. Docks
are often equipped with tensioning winches, capstans, and other line-handling hardware, which
allow the dry dock crew to control the vessel as it enters the dock and position it correctly over
the blocks. Electric or electrohydraulic capstans are most often used to handle the lines; (5) a
proper blocking system must be provided. Blocks are used to support the weight of the ship
while positioning it at a convenient height to provide work access underneath and leave much
of the bottom area free for cleaning, repair, and painting. They also provide stability to prevent
the ship from tipping over due to high winds or earthquake forces. The blocking can be
considered as a mattress that provides support yet yields elastically to account for irregularities
in the fit of the ship.
2.3.7 Factors affecting the selection of a dry dock system
The management of nearly every shipyard at one time or another considers an investment in a
new or enlarged dry docking capability. Sometimes the choice of system is easy, as only one
type of dry dock will meet the shipyard’s need. More often, however, management must
evaluate several systems and decide between them (Salzer, 1986). Selection of the appropriate
type of dry docking facility will be influenced by many factors including (Becht and Heger,
2003): (1) the dimensions, weight characteristics, and general features of the vessels to be
serviced by the dry dock; (2) conditions at the site of the dry dock and the associated land
facilities, including available land area, available area in the water, proximity to navigable
channels or open water, tides, currents, topography, and soil conditions; (4) the near- and far-
term goals of the shipyard and the potential future extension of the dry docking facilities. The
most vital factor is the size of vessel and size of dry dock. A summary of factors to be
considered in the selection of a floating-graving dock system is presented in Table 2.1 (Salzer,
1986).
20
Table 2.1: Summary of factors to be considered in the selection of a dry dock system (Salzer,1986)
Factor Graving Dock Floating Drydock
Vessel size Virtually unlimited, the largest docks handle vessels, in
excess of 1 million deadweight tons
Recent docks have been built to handle vessel in
excess of 350,000 deadweight tons
Sitting restrictions Local extremes of soil conditions can create extreme
variations in initial cost
None
Speed of operation Dependent on pumping capacity. Typical installations
utilize rates of between 6 to 10 hours
Dependent on pumping capacity. Typically 1 to 3
hours
Dredging/
Siltation
Adjacent bottom level must be maintained below sill of
gate elevation
Must maintain adequate depth in area of dry dock to
permit nominal clearance beneath baseline at
submerged elevation
Maintenance Gate-Periodic drydocking for vessel-like maintenance.
Machinery-Preventative maintenance and occasional
overhaul. Basin- In-place corrosion control and repair.
Protection-Impressed current cathodic protection systems
and sacrificial zincs are usually provided for underwater
steel elements.
Machinery-Preventative maintenance and
occasional overhaul. Dock structures- Floating dry
docks are usually designed to be self-docking
vessel-like maintenance.
Protection-Cathodic protection and sacrificial zincs
are usually provided.
Guideline, Annual
reserve for
maintenance
1-2% of initial cost 1-4% of initial cost
Capital Recovery
Potential
None About 90% of appraised value (less towing and
insurance expenses)
Land Area Required Usually a graving dock is inset into a shipyard site and
therefore requires an amount of real estate equal to the
footprint of the dock plus access
Requires only frontage on the property line. Can
often be moored outside of the harbour’s bulkhead
line.
Compatibility with
transfer to land berths
Graving docks are very seldom used in conjunction with
land berths.
Often utilizes a full or partial grounding mat to
stabilize the dock’s level during transfer. Ballasting
control is possible and has been used without
grounding mass but requires a highly trained
dockmaster.
Material flow to
vessels in drydock
All material must be removed from area prior to docking
and undocking. Cranes are usually installed on dock walls
to facilitate handling. New docks are sometimes provided
with a vehicle ramp to remedy this traditional
shortcoming.
Wing-walls limit access to the end of the dock.
Material must be removed prior to docking and
undocking. Cranes are often provided on wing-
walls to assist.
Earthquake resistance
Special design criteria must be considered for docks to be
installed in earthquake prone areas. Ships blocking must
also be considered in these areas.
Tsunamis accompanying earthquakes are the major
consideration for floating drydocks.
Special features
available
Intermediate gates permits subdivision of graving docks
for more than one vessel at a time.
Double ended docks with intermediate gates are
sometimes used to permit a long dock to function as two
docks.
Floating dry docks can be designed to be separated
into two independent units.
Special adaptations and designs have been
developed to permit limited access without full
drydocking.
Simplicity of
drydocking
Winches and centering guides are used to assist in
positioning ships. The crew size is a function of the vessel
size. Operations are carried out in the relative calm of a
protected basin.
Vertical control is maintained by the pumping of
water. A certain amount of dock and vessel motion
must be contended with to assure safe operation. A
skilful docking master is required.
21
2.3.8 The economics of docking a vessel
The cost of dry docking facilities for any given capacity can vary widely depending on the
local conditions. Floating docks can be purchased second-hand and towed to the site. Second-
hand costs vary widely but average out at a half to a third of the cost of other docking systems
(Mackie, 1999). The tariffs are set to suit their marketing strategy. A dry docking tariff running
10% of the cost to the ship owner of the work done on his vessels is about the limit that will be
tolerated by ship owners. In general, the real money is made in ship repair. Provided a dock is
reasonably utilised, the annual turnover on repair work will be 2 to 3 times the cost of the
facility. This leaves the dry dock as the largest single investment a ship repair company must
make – something they may not be willing to do if the market is not stable (Mackie, 1999).
Docking a ship is an expensive business and over the years much effort has been devoted to
increasing the intervals between docking and reducing time needed in dock. Measures taken
include the following (Tupper, 2013): (1) developing hull coatings which remain effective for
longer, including so-called self-polishing paints; (2) using cathodic protection systems to
protect the hull and its fitting against corrosion; (3) designing underwater features so that they
can be removed and replaced with the ship still afloat.
These economies, however, do not debar the open or public utility dry dock. The tax yield to
the state from the economic activity engendered by ship repair at the dock, depending on the
levels of taxation and the levels of activity could amortise the capital cost of the dock in 5 to 7
years. Thereafter, the tax yields are free and may be accounted together with the other socio-
economic benefits that may flow from a healthy ship repair industry (Mackie, 1999).
2.3.9 Ship dry dock specification
2.3.9.1 Shipyard docking plan
Using the vessel’s docking plan, the shipyard develops an in-house docking plan to be
submitted to the ship owner for approval. Based on the vessel-dock configuration, the shipyard
needs to determine whether an alternate blocking plan that differs from the ship owner’s
docking plan is required (Harren, 2012).
22
Unless otherwise contractually stated, the docking position usually account for the previously
docked positions to ensure that the vessel can be 100% paint coated. The shipyard’s docking
plan contains information such as (Harren, 2012): the alternate blocking plan, plan view of dry
dock with vessel outline, elevation view of dry dock with vessel outline, cross section at
propellers, side block table of offsets, table of hull openings below the projected docking, etc.
General information on docking position, keel block, and side block is also important.
2.3.9.2 Accuracy factors
Dry docking plays an important role in a ship operation project. The ship’s dry docking project
is seen as the largest periodic maintenance activity that a ship is exposed to during its life cycle
(Inozu and Radovic, 2002). Extensive research has indicated that uncertainty of
unplanned/growth of work for ship repair projects can be avoided if historical data and major
maintenance job specifications such as ship dry docking are written in a standard and error free
format with a good assessment of the ship’s condition.
In general, many shipping companies have always accepted the fact that the amount of work
required grows during dry dock, due to the complexity of the process. However, they have
incorporated this growth into the budget by adding supplementary funding of 20% or more of
the initial dry dock budget to cover this item of expenditure rather than investigating how they
can eliminate the problem. Figure 2.1 shows some of the most important contributors for proper
maintenance in dry dock. Appropriate machinery and hull condition data can be tracked using
computer database maintenance and repair tracking system (Inozu and Radovic, 2002).
Figure 2.1: Breakdown of specification accuracy factors (Inozu and Radovic, 2002)
23
It is important to emphasize the need for accurate ship repair and maintenance history when
preparing ship dry dock specifications. Historical information on equipment failure rates, poor
workmanship in dry dock, planning mistakes, etc. may help predict future maintenance and
repair needs. Growth items cost ship operators an average of 50% to 80% more than if they
would have been planned and identified in dry-dock specifications before dry-dock starts
(Inozu and Radovic, 2002).
Growth items cost ship operators a lot of money. If the growth items could be planned and
identified in dry dock specifications before a dry dock project starts, the cost avoidance for
these items would be significant. In addition, a poor knowledge of ship hull and equipment
condition directly relates to ship safety (Inozu and Radovic, 2002).It is, therefore, in the best
interest of the ship operators to examine and monitor a ships condition to minimize potential
defects. Proper docking operations are the main emphasis of the FSA approach (Inozu and
Radovic, 2002).
2.3.9.3 Top level dry dock specification
The first activity of this research is to identify ship operator’s dry docking process top-level
map, which is shown in Figure 2.2. It shows the flow of specification documentation and parties
involved with its generation (Inozu and Radovic, 2002).
Figure 2.2: Top level dry dock specification (Inozu and Radovic, 2002)
After being approved, the specifications go to shipyards for bidding and the yard chosen in the
bidding process works with the ship’s crew and port engineer on the execution of tasks
24
identified by the specifications. The effectiveness of each step in the specification generation
and dry dock project execution process presents different parts of FSA (Inozu and Radovic,
2002).
2.4 Regulations and Standards on Floating-Graving Dry docks
The international and national legislation, rules and regulations were adopted, implemented
and enforced by: IMO and flag states and classification societies.
2.4.1 IMO
IMO stands for the International Maritime Organisation formed as a specialized UN-agency
that sets standards in IMO conventions, codes and other instruments, which are developed
following proposals made by member flag stages that are both users and providers of
international shipping services, and are generally adopted on a consensual basis (Aristo, 2012).
These are internationally agreed minimum standards. They are not the highest possible or
conceivable standards, but the highest practicable (Aristo, 2012).
The major aims of the IMO are as follows: (1)To provide effective machinery for technical,
legal and scientific cooperation among flag states in the field of the protection of the marine
environment from pollution from ships and relative activities; (2) To encourage the widest
possible acceptance and effective implementation of these standards at the global level (Aristo,
2012).
2.4.2 Flag State implementation
Flag state implementation is new body which developed important instruments and guidelines
to facilitate flag states in fulfilling their obligations under the applicable conventions but the
core of the problem still remains unresolved. For the time being, there continues to be
widespread resistance to granting the IMO any enforcement authority of this kind. A number
of ports have adopted the Port State Control (PSC), but their authority is limited and their
inspections generally superficial, with insufficient depth and detail (Aristo, 2012), hence many
flag states seem to have delegated their responsibility to classification societies.
2.4.3 Classification societies
The main function is to lay down standards for the construction and subsequent maintenance
of ships and to ensure that these standards are fully implemented. These standards are published
25
in the form of Rules and Regulations and Procedures. According to the rules for classifications
of floating docks (DNV, 2012) rules are based on assumptions that the floating dock will be
properly handled at all times, and it is assumed that all loading and ballasting will be in
compliance with the approved operating manual. ABS (2009) and KR (2010) also provide
similar rules for building and classing steel floating dry docks. Class can only attend periodical
surveys as defined in their Regulations and only at the request of the Owner/Operator/Manager.
Periodic surveys are carried out on annual, intermediate (2 to 3 years) or special survey (5
years’ cycles). Class cannot maintain safety of ships under all circumstances due mainly to the
following (Aristo, 2012): Class dependence on the ship-owners or for new building on
shipyards: (b) Conflict in interest as class is often carrying out statutory surveys and issuing
certificates on behalf of flag state (c) Classification rules and regulations and procedures are
the absolute minimum standards: (d) Class has no or at least very limited authority to
implement and enforce regulations; (e) Class in fact does not have direct responsibility.
2.4.4 Standards and compliance
As studied, there is a focus on compliance rather than on actually achieving safety. These
legislation, rules and regulations can be grouped into technical, safety regulations, economic,
operational regulations, and security regulations. An example of docking regulation is
Canadian Vickers Regulation (CVR, 2012).
2.4.5 Data collection
The shipyard industry is an important and strategic industry in a number of EU member states
and the community as a whole. Shipbuilding is also an attractive industry for developing
nations. Japan used shipbuilding in the 1950s and 1960s to rebuild its industrial structure,
Korea made shipbuilding a strategic industry for its economic developments in the 1970s and
China is now in the process to repeat these models with large state-supported investments in
the industry (CESA, 2006). Data collected shows that working in shipyards remains as one of
the riskiest occupation in the United States as Bureau statistics of Labour (BSL) records from
1999 to 2007. This record remains true from shipyard accident statistics collected from Health
and Safety Executive (HSE) in the UK, where the injury rate in the shipyard industry doubled
compared to manufacturing industry. This sends a clear message for the need to examine the
existing health and safety management system in shipyards, its characteristics, safety programs,
guidelines and shipyard safety standards.
26
It is often said that “what works in one yard may not necessarily work in another, each yard is
best judge of what will work for it.”
Nevertheless, every shipyard has its own personality. That personality is the product of many
factors including the yard’s history, its size, its organisational structure, its employee relations
atmosphere, and its management style. Therefore the operations in shipyards are dynamic and
not static, hence internal and external influences must be adjusted to enhance safety in
shipyards (Frank, 1991).
2.4.6 USA shipyards
Shipbuilding and repair in the United States (US) has historically been considered as a strategic
industry, supporting both military and commercial interest. Currently, in the U.S this industry
consists of about 250 private companies and five publicly owned and operated repair yards.
U.S shipbuilding and repair revenues totalled $ 10.2 billion in 1998 (NSA, 2001). The
shipyards on the Eastern and Gulf Coasts account for over 80 percent of these revenues. The
six biggest shipbuilders commonly referred to as the Big Six, account for two-thirds of the
industry revenue. This big six include (NSA, 2001): Bath Iron Work (Maine), NASSCO (San
Diego), Avondale (New Orleans) and Ingalls Shipbuilding (Mississippi) are part of Litton Ship
Systems and Newport News Shipbuilding (Virginia).
The shipbuilding and repair industry is a strategic asset analogous to the aerospace, computer,
and electronics industry. Frontline warships and support vessels are vital for maintaining
America’s national security and for protecting interests abroad. In emergency situations,
America’s cargo-carrying capacity is indispensable for moving troops and supplies to areas of
conflict overseas. The following associations affect the shipyard activities in USA: American
Shipbuilding Association (ASA), National Shipbuilding Research Program (NSRP), and
Shipbuilders Council of America (SCA).
2.4.7 European shipbuilding and repair activities
Over the past 30 years, the European shipbuilding, repair and conversion industry has seen
substantial rationalisations, mergers and consolidation. This has been against a background of
increasing shipbuilding capacity in China and South Korea and continuing arguments on
shipbuilding subsidies (CESA, 2006). The EU has developed a strategy in order to tackle the
Korean practices, which include shipbuilding subsidies that have been harmful to EU
shipyards. There are more than 150 shipyards in the EU, with capacity of 40 of them active in
27
the global market for large sea-going vessels. EU shipyards employ 55,000 directly and, since
the enlargement of the EU, the annual turnover is more than 11.5 billion Euros. The following
associations affect shipyards in EU: Community of European Shipbuilders Association
(CESA), and Association of European Shipbuilders and Ship Repairs (AWES).
2.4.8 UK shipyards
UK shipbuilding is defined in four broad categories: new-build merchant ships; new-build
naval ships; merchant repair and conversion; and naval repair. All companies in this industry
are located in the UK and are, degrees of shareholding notwithstanding, British owned and
operated (Martins, 2008). There are more than 16,000 shipyard workers employed in the UK
(CESA, 2006). There are several shipyards in the UK, some of them include: A & P Type Ltd
Newcastle, Pallion Engineering Ltd, Dunston (ship repair) Ltd, A $ P Teesside, Richards Dry
Dock and Engineering Ltd, Small and Co Ltd Lowestoft, North-western Ship repairers &
Shipbuilders Ltd, BAE Systems and Naval, Fleet Support ltd, VT shipbuilders, VT Halmatic,
A & P ship care, and Thames Shipbuilders Burges Marine Ltd. Shipbuilders. Ship Repairs
Association (SSA) is one of the organisations in UK that seek to enhance safety in shipyards.
2.4.9 China shipyard
Since the start of the 21st century, China’s shipbuilding industry has enjoyed significant
development. Fostered by the state macro policy and great demand both in China and abroad,
the industry will still keep fast growth in the coming several years based on the anticipation of
Commission of Science Technology and Industry for National Defence (Dilan, 2008). The
industry is dominated by two huge state-owned enterprises: China State Shipbuilding
Corporation and China Shipbuilding Industry Corporation, the parent of the Dalian company.
But in recent years, it has also seen a large number of new entrants, in the form of smaller
shipyards run by local governments or private groups, or set up as joint ventures. There are
now 3,000 of these smaller shipyards, up from just 350 a decade ago (Dilan, 2008). Shipyards
in China include: Dalian Shipyard, Jiangsu Shipyard, Jinlin Shipyard, Wuhu Shipyard, Chenki
Shipyard, Mawei Shipyard, Guangzhous Shipyard, Bohai Shipyard to name but a few.
2.4.10 Singapore shipyards
In Singapore, the Work Safe and Health (WSH) Council highlights the need to do more in view
of the booming marine industry. The chairman of WSH Council Lee (2008) explains “as more
work and projects are being taken in shipyards, it is critical that they remain vigilant and
28
ensure that the necessary safety measures are in place.” Lee (2008) suggested the need to
ensure all shipyards take on Association of Singapore Marine Industries’ (ASMI) suggestion
to immediately do a time out and review all systems and processes before resuming work. This
is in an effort to rank Singapore shipyards amongst the top around the globe. It is clear that,
many organisations are trying their best to rank their shipyards the top in the globe in safety,
operation and efficiency. It must come at the expense of cost, whereby the right amount of
resources, and tools to realise this goal must be put in place.
2.5 Typical Shipyard Accidents
Several shipyard accidents have occurred over the years. These accidents have paved the way
for strikes, tougher legislation and the need to enforce the guidelines on safe working practices
in shipyards. Not only have these accidents led to loss of production time, and environmental
degradation, but also loss of lives for individuals working to make sure that these vessels
remain seaworthy.
2.5.1 Jurong shipyard accident
Greek tanker, Spyros, exploded at Jurong Shipyard in 1978. It remains Singapore’s worst
industrial accident killing 76 with nearly 100 injured in an explosion and fire on board the ship
at the Jurong Shipyard. The explosion took place after about 150 workers went into the engine
room (Jansen and Lee 1978). Sparks from the cutting torch used during repairs, caused a fire
which ignited an explosive vapour mixture within the aft starboard bunker tank of the vessel.
The fuel tank had been contaminated by crude oil. The explosion ruptured the common
bulkhead between the tank and the engine room, releasing the burning oil into the engine room
and setting fire. Of those working on board the vessel, 76 people were killed and 69 others
injured (Tan, 1990).
2.5.2 Subic bay accident
Three workers died at shipyards at Subic Bay in the Philippines. This caused the International
Metalworkers’ Federation (IMF) to raise issues on safety and health in shipbuilding at ILO
World Congress on Safety and Health at Work (IMF, 2008). Poor implementation of safety
rules and regulations was the main concern about this accident. It was stated clearly that safety
permits were not given to subcontractors before work. In the blast incident, the workers on the
upper level were doing the grinding while those at the lower level were applying oil near the
propeller and the acetylene (tanks). The findings showed the following (Ansbert, 2008): (a)
Employees were given only a general orientation of the shipyard, (b) No dry dock orientation
29
was given in case of fire, (c) There was no systematic dry dock fire rail, specific alarm system,
exit map and lights.
2.5.3 Tuzla shipyard strikes
More than 5,000 supporters joined the strike action in the Tuzla shipyards in Turkey calling for
better health and safety (IMF, 2008). The major cause of this strike was due to fact the that 18
shipyard workers were killed in the previous seven months alone in workplace accidents; in
the protest the police arrested 70 workers (IMF, 2008). Another cause of this strike was that
the vast majority of workers work for subcontractors, and these firms pay little or no attention
to health and safety issues and regulations.
2.5.4 Union Naval de Levante accident
On 3 July, 1997, 18 workers in the shipyard of Union Naval de levante in Valencia died when
a ship under construction caught fire. The causes of the accident, Spain’s most serious recent
accident before the Madrid train bombings, was due to breach of safety regulations. The
accident occurred when a ship under construction caught fire while it was loading fuel. Several
workers claimed that insufficient safety measures had operated at the shipyard and accused the
company of not stopping welding work during fuel loading (Cirem, 1997). The Comisiones
Obreras (CC.CO) drew up a report claiming that there had been three fuel leaks during the
loading, and that one of these leaks caused the fire by contact with electrical material (Cirem,
1997).
2.6 FSA Applied to Shipping Industry
Shipping is a traditional industry in which safety has been an issue for hundreds of years.
Meanwhile, accidents have often led to the recognition of the need for measures to control risks
at sea. For example, the Titanic disaster in 1912 in which 1430 lives were lost, led to the first
International Conference on Safety of Life at Sea (SOLAS), that set international standards and
regulations to prevent such casualties. The capsizing of the linear Andrea Doria prompted the
United States delegation to attend the 1960 International Safety Conference and introduced the
concept that ship safety should be measured as the extent of damage a ship could survive. The
Exxon Valdez disaster in 1990 resulted in the use of double hull tankers mandated by the IMO.
These incidents indicate the everlasting necessity for introducing modern risk assessment
techniques in the commercial shipping industry (Bai, 2003). In 1993 a particular industry
developed type of risk management framework in the ship safety regime was proposed by the
30
UK to the IMO, referred to as the FSA. Being a tool designed to assist maritime regulators,
FSA is not intended for application to individual ships, but for use in a generic way for shipping
in general.
To increase safety at sea, IMO has developed a structure and systematic methodology for FSA
by using risk analysis and an efficient risk management. FSA is a rational and systematic
process for assessing risks and for evaluating the costs and benefits of different options for
reducing those risks (Gasporati, 2012). The method provides a means of being proactive,
enabling potential hazards to be considered before a serious accident occurs. The main
elements introduced by FSA are: a formalized procedure, an auditable process, communicated
safety objectives, and priorities based on cost effectiveness. These have made the FSA a more
rational risk assessment approach for the regulatory purposes in the shipping industry (Bai,
2003). Risk assessment is a complex process involving the identification of the hazard and its
sources, as well as of the consequence and severity of their associated risks. This is used to
elaborate strategies for risk diminishing and safety improvement at sea by adopting prevention
and control measures and reducing risks (Gasporati, 2012).
2.6.1 Characteristic of FSA in dry docking industry
FSA represents a fundamental change from what was previously a largely piecemeal and
reactive regulatory approach to one which is proactive, integrated and, above all, based on risk
evaluation and management in a transparent and justifiable manner, thereby encouraging
greater compliance with the maritime regulatory framework, in turn leading to improved safety
and environmental protection (Gasporati, 2012).
FSA may be used to develop performance-based rules stating safety objectives and functional
requirements and rational prescriptive standards based on the performance-based rules. The
main characteristics of the FSA are (Gasporati, 2012): (1) a systematic approach considering
the shipyard as a socio-technical system. The system may consist of hardware, environment,
human organisations, operations, and procedures; (2) risks associated with various hazards are
described and analysed. The risk analysis covers a certain time-span, i.e. the operational life,
and may involve quantitative or qualitative tools to perform likelihood and consequences
calculations; (3) once a risk is quantified, it is then necessary to determine if the risk is
acceptable, based on the predefined acceptance criteria. When the risk is acceptable, a
cost/benefit analysis may be followed to compare the costs for preventative/protective
measures with the benefits; (4) the listed basic elements are integrated into a risk model, where
31
the objective is to recommend the most cost-effective, preventive, and mitigating measures for
risk management.
Based on the principles of identifying hazards, evaluating risks and cost-benefit assessment, to
effectively manage FSA in the docking industry, there needs to be a loop established, whereby
the effects of changes based on the decision-making are monitored to ascertain whether the
desired level of safety can be achieved and, if not, further options examined (Hu et al., 2007).
The FSA has proved to be a method widely applicable, detailed in statistical analysis and
effective in assessment, featuring formal operation procedures, serial standards analysis
techniques and decision making based on cost-benefit assessment. The core process comprises
five steps. These objectives and rational analyses facilitate systematic judgements and effective
management of risk (Soares and Teixeira, 2001).
There are three options for safety assessment provided by FSA (Hu et al., 2007): (a) Option
one: three-step assessment, which means hazard identification (step 1), assessment of risk (step
2) and the recommendation for decision making (step 5); (b) Option two: four-step assessment,
comprising hazard identification (step 1), assessment of risks (step 2), risk control options (step
3) and the recommendations for decision making (step 5); (c) Option three: five-step
assessment, full steps in the FSA method. The assessment of risks is the core process and plays
a significant role in the above categories, among which the establishment of risk models is a
critical step (Hu et al., 2007).
2.6.2 FSA in other organisations
FSA is today used in many industries worldwide. Its use is not limited to industrial regulators
but rather increasingly operators are using this approach to manage pro-actively the risks
arising from their industrial activities. It is also used by governmental organisations, both
national and international, which do not have a specific regulatory role. Some examples of
organisations that have successfully implemented FSA over the years are presented in Figure
2.3 (Vince, 1995 and Xun, 1995): (1) In Holland, the Dutch authorities used FSA to balance
risk of the storage and transportation of LPG and motor spirit; (2) The international Labour
Organisation (ILO) has an increasing role with the control of chemicals risks to occupational
safety and health; (3) The organisation for Economic Co-operation and Development (OECD)
use FSA techniques for issues such as the economics of investment policies, food safety and
the analysis of nuclear safety technology; (4) International organisations such as the OECD,
32
World Health Organisation (WHO) and ILO have limited resources, as does the IMO. It is
necessary for these organisations to focus attention on those issues of highest priority.
Figure 2.3: Overview on the application of FSA (Vince, 1995 and Xun, 1995)
2.6.3 Implications of the application of FT-FSA
It is important to understand who can apply FSA. The following are the types of administration
that can apply FSA (Vince, 1995): (1) an individual administration or an organisation having
a consultative status with IMO when proposing amendments to safety and pollution prevention
and response-related IMO instruments in order to analyse the implications of such proposals
and; (2) an instructed subsidiary body to review the overall framework of safety and
environmental regulations aiming at identifying priorities of areas of concern of the current
regulations. Figure 2.4 presents the general look at authorities that can apply FSA.
Figure 2.4: General look at authorities that can apply FSA (Vince, 1995)
Who applies FSA?
1. An individual administraion or
orgnisation having a consultaitve status with IMO when propsoing
amendments to safety and pollution prevention
2.The committee, or instructed subsidiary
body, to review the overal framework of safety and enviroment regulations
3. For longer term, the development of FSA
should lead to the replacement of
prescriptive regulations by perfomance based
regulations
4. A small group should be established to consider
how the application of FSA would affect IMO's
Committee's structure
5. FSA should be applied towards a more
rationalised structure and morre efficient mechanism for
achieveing a desired goal
In Holland, Dutch Authority
implements FSA
ILO role with control of chemical
risk in relation to occupational
safety and health
OECD
UK Royal Navy
Unilaterally introduce the Operation Book Rules
Used FSA technique for issues such as economic
of investment policies, food safety
UK CAA
Risks of storage and transportation of LPG and
motor split
Offshore Implements FSA
Uses FSA in concept of design, construction, and
operation
London Underground Ltd Used FSA to save millions of pounds by using
smoke/heat detectors
33
2.6.4 Factors affecting the implementation of FT-FSA
The factors that affect the future implementation of FT-FSA include (Sekimzu, 1995): (1) FSA
as a tool for a precautionary approach in the decision-making process. Regulation development
in IMO have been described as not being proactive or precautionary; (2) optimum future
regulations: through the application of FSA, it would become possible to compare different
options of combinations of regulations; (3) justification for the compelling need: the strength
of the FSA rests in its systematic application of modern techniques for risk assessment and
cost-benefit consideration on all possible control measures; (5) human element: it will be
extremely important to take into account the role of the human element in the process of the
application of FSA, hence the safety evaluation of shipping as a man-machine system; (6)
collection of data: the evaluation of risks depends on the accuracy and volume of data on
casualties. Therefore, the collection of data would be a vital element in the successful objective
application of the FSA, although it is possible to use subjective evaluation as an interim means
with a reasonable degree of accuracy.
2.6.5 Risk evaluation
Risk estimation can identify the areas of high risk – the main contributors to risk-specific
hazards. The total risk to human safety, business and the environment may then be estimated.
Depending on the scope of the analysis, the output from a risk analysis for a dry dock will
provide descriptions of the risk in one, some or all of the following categories (Hartford and
Baecher, 2004): individual risk to the public, societal, occupational, environmental,
commercial, and socio-economical risk (the extent to which these categories are considered
depends on the nature and level of effort of risk analysis).
The outputs of the risk analysis should be structured to be useful inputs to the risk control
process. Graphical representations of frequencies of occurrences and consequences are also
useful. In quantitative analyses, risk and how it accumulates can be represented in a
summarised event tree based on condensed versions of the dry dock failure tree and the failure
consequences event tree (Hartford and Baecher, 2004).
Risk is estimated by combining the probabilities of failure-initiating events obtained from the
hazard analyses with the probabilities of dry dock failures obtained from the dock response
analyses, and the magnitudes of consequences and their associated probability distributions
from the consequence analysis phase (SSC, 2002). The principal methods available for
34
conducting risk analysis for dry docks are introduced here and explained in more detail in
subsequent sections. The following has been adapted from the Canadian Standard Association
(CSA) (1991) ‘Risk analysis requirements and guidelines’. The principal methods are: (1)
failure modes and effects analysis (FMEA); and associated methods; (2) fault tree analysis; (3)
Petrinets, (4) Monte-Carlo simulation; and (5) Bayesian network (BN).
2.6.5.1 Failure mode identification
Failure mode identification is an essential step in the risk estimation process as it lays the
foundation on which the remainder of the study is built (CSA, 1991). The extent to which
failure modes are defined may depend on the level of the analysis (Hartford and Baecher,
2004). Failure mode identification requires that the dry dock system are systematically
reviewed to identify the manner in which the dry dock, foundation or appurtenant structures
may fail under the imposed loading or causative conditions (Hartford and Baecher, 2004).
This systematic review might include: dry dock safety reviews which provide basic dry dock
specific input to the process; consideration of appropriate case histories of dry dock failures
and historical records of dry dock incidents (experience from previous risk analyses provides
useful input to this process); or checklists of causative conditions and failure modes to assist in
identifying potential failure modes for dry dock under review – a formal process that provides
a structure for raising issues and posing questions to a group of people familiar with all aspects
of the project, so that the system is exhaustively analysed with fault tree diagrams (CSA, 1991).
2.6.5.2 Failure modes and effects analysis (FMEA)
FMEA (including such variants as failure modes, effects and criticality analysis and hazard and
operability (HAZOP) studies) is a method of analysis whereby the effects or consequences of
individual components’ failure modes are systematically identified and analysed (Rajiv and
Pooja, 2012). While the actual analysis is inductive (i.e. based on the question ‘what happens
if a component fails?’), it is first necessary to break the dry dock system down into
subcomponents (Rajiv and Pooja, 2012).
FMEA is yet another powerful tool used by system safety and reliability engineers to identify
critical components/parts/functions whose failures will lead to undesirable outcomes such as
production loss, injury or even an accident (Rajiv and Pooja, 2012). FMEA was first applied
to naval aircraft flight control systems at Grumman in 1950 (Coutinho, 1964). Since then, it
has been extensively used as a powerful technique for system safety and reliability analysis of
35
products and processes in a wide range of industries including marine works. Its main objective
is to discover and prioritise the potential failure modes (by computing risk priority number -
RPN) that pose a detrimental effect to the system and its performance. The critically debated
disadvantage of FMEA based on RPN analysis is that various sets of failure occurrence
probability (Of), severity (S) and detectability (Od) may produce an identical value; however,
the risk implication may be totally different, which may result in high-risk events going
unnoticed. The other disadvantage of the RPN ranking method is that it neglects the relative
importance of Of, S and Od. The three factors are assumed to have the same importance but in
real practical applications relative importance among the factors exists. To address these
disadvantages related to traditional FMEA, a fuzzy decision making system can be used to
prioritise failures (Rajiv, and Pooja, 2012).
2.6.5.3 Fault tree analysis and petri nets
Fault tree analysis (FTA) is a technique, either quantitative or quantitative, by which conditions
and factors that can contribute to a specified undesired event (called the top event) are
deductively identified, organised in a logical manner and represented pictorially (Peterson,
1999). The faults identified in the tree can be events that are associated with component
hardware failures, human error or any pertinent event that leads to the undesired outcome (e.g.
dry dock flooding) (Rajiv, and Pooja, 2012). Contrary to fault trees, Petri nets can more
efficiently derive the minimum cut and path sets. Also, the absorption property of Petrinets
helps to simplify the Petri net model and determine minimum cut sets and path sets by re-
organising the transitions which is possible as long as firing time is not taken into consideration
i.e. transfer of tokens does not take place (static condition) (Singer, 1990, Liu and Chiou, 1997,
Adamyan and David, 2002). Similar to fault tree, petri nets makes use of digraph to describe
cause and effect relationship between conditions and events. Petri nets have two types of nodes
named place ‘P’ and transition ‘T’ (Peterson, 1999).
From literature studies it is observed that Petri nets and fault trees methods are used for software
reliability analysis (Kumar and Aggarwal, 1993); analysis of coherent fault trees (Hauptmanns,
2004) and fault diagnosis (Mustapha et al., 2004). The limitations of these current failure
analysis techniques are: (1) not being capable of evaluating sophisticated industrial systems
and; (2) based on unrealistic assumptions which are not intuitively comprehensive so that they
are not able to manage risky behaviours of the system and predict potential sequential failures
of systems which lead to catastrophic incidents. These traditional approaches can be handled
36
by an integrated approach which incorporates fuzzy logic in the concept of petri nets to develop
a new sequential analysis technique. To this effect, both probabilistic and non-probabilistic
methods available in literature are used to treat the element of uncertainty (Rajiv, and Pooja,
2012).
2.6.5.4 Bayesian network
Based on mature scientific theory, this probabilistic method deals with uncertainty that is
essentially random in nature but of an ordered kind (Yang et al., 2008). It is an exercise aimed
at estimating the probability and consequences of accidents for the dry dock facility under
study. The ability of the Bayesian network (BN) in modelling randomness and capturing non-
linear causal relationships is widely known. (Sadiq et al., 2006). Therefore, BNs can provide a
powerful risk analysis tool, and are used in a range of real applications concerned with
predicting properties of safety-critical systems (Sadiq et al., 2006).
The Bayesian approach is based on probability theory, which ‘aggregates’ data without
differentiating ‘aleatory’ and ‘epistemic’ uncertainties. Moreover, it requires too much a priori
information, which sometimes limits its application to updating existing information (Sadiq et
al., 2006). Consequently, earlier work has indicated that it is beneficial to combine fuzzy logic
and Bayesian reasoning for the purpose of compensating their individual disadvantages. Again,
Bayesian and evidential reasoning theory are widely known in risk analysis and play an
important role in the management of uncertainties, especially where multi-expert knowledge is
desired in a decision-making process (Yang et al., 2008).
2.6.5.5 Floating-graving dock response
Depending on the scope, the dry dock response analysis can take various forms including
qualitative failure modes and effect modes analysis, various levels of event tree and/or fault
tree analyses, and/or detailed quantitative analyses with formal treatment of uncertainty. Dry
dock response analysis involves modelling the response of the dry dock to the full ranges of
loads due to hazards and/or operating conditions (CSA, 1991).
The first stage of this process involves selection or development of a suitable model and
identification of data requirements. The second stage involves providing input data and running
the model for the various conditions under consideration. Disaggregation or decomposition of
the failure mechanism into its constituent parts are a key element of the analysis process. The
37
extent to which this disaggregation or decomposition is required will depend on the complexity
of the failure mechanism and the level of the analysis (CSA, 1991).
2.6.5.6 Consequence analysis of docking accidents
Consequence analysis involves estimating the direct and indirect impacts of the failure or
incident (CSA, 1991). The consequence analysis should provide a clear picture of what
emergency response personnel would be faced with should the failure occur, as well as a picture
of the long-term effects of the failure (CSA, 1991).
Consequence analysis consists of identification of potential losses and loss magnitude
estimation. In some cases it may be necessary to describe the estimate of consequences
probabilistically and account for temporal variation in the characteristics of the inundated area.
There are essentially five aspects to failure consequence analysis (CSA, 1991): Dry dock gate
flooding definition, fire impact analysis, dry dock collapse impact analysis, transverse bending
failure of the pontoon definition and failure of ship to land on blocks analysis.
Computer programs for dry dock flood definition, developed for traditional dry dock safety
applications, are commercially available. These programs provide estimates of flooding arrival
times, and average flood depth and velocity with time at defined cross sections in the inundated
area (CSA, 1991). Dry dock collapse impact analysis requires the characteristics of the
inundated area including details of population at risk, property and environmental impacts as
well as the responses to the inundation conditions.
2.6.5.7 Assigning probabilities
Risk analysis for dry dock safety is fundamentally a characterisation of the uncertainties in the
performance capability of a dock under the loading conditions of interest (Vicky, 2002). Risk
analysis is useful because it provides a systematic structuring of uncertainty, and this
structuring allows us to better understand how uncertainty arises and how information may
lessen it. The most commonly used measure of uncertainty in the dry dock safety study is
‘probability’ (Vicky, 2002). Probability is a mathematical construct used to express degrees of
uncertainty about occurrence of events, state of the world and truth of propositions. Two
principal interpretations of probability are common: probability as ‘frequency’, and probability
as ‘degree of belief’ (Vicky, 2002). Because there is more than one interpretation of the
meaning of probability, there is also more than one way to assign probabilities.
38
A review of the contemporary literature creates the impression that there is no unique way to
assign probabilities in dry dock safety risk analysis, and such an impression is correct. That
two distinctly different interpretations of probability exist makes it necessary for the analyst to
differentiate which is used for specific probabilities in the risk analysis. As a general rule,
probabilities describing rates of occurrence are interpreted as frequency, while probabilities
describing states of nature (e.g. parameter values) or the truth of hypotheses are interpreted as
degrees of belief (Hartford and Baecher, 2004).
2.6.6 Uncertainty in applications of FSA
The analysis of an engineering system often involves the development of a model of the system.
The model can be viewed as an abstraction of some aspects of the system. In performing this
abstraction, an analyst or engineer must decide which aspects of the system to include and
which to leave out (SSC, 2000). Whether probabilities are assigned by statistical analysis,
engineering modelling, expert opinions, or some combination of these approaches, they are
almost never specified precisely (Hartford and Baecher, 2004).
For fully engineered floating-graving docking systems, such as graving dock gates, given a
robust model and quality data the quantification process might be expected to provide results
within an order of magnitude or so of the long-run frequency or the actual future observation.
Also, depending on the state of knowledge about the system and the background of the analyst
or engineer, other aspects of the system might not be known, thus increasing the overall
uncertainty of the system (SSC, 2000). Clearly, as uncertainty in the models and data increases,
the uncertainty in the quantified risk also increases. However, while the result may not even be
to within an order of magnitude, the process of quantification remains useful in that it permits
an interpretation of the situation under consideration that cannot be achieved any other way
(Hartford and Baecher, 2004).
2.6.7 Expert judgement protocol in FSA
Expert judgement has always played a large role in science and engineering. Increasingly,
expert judgement is recognised as just another type of scientific data, and methods have been
developed for treating it as such. Expert opinion is mostly usually considered to be a statement
of the reasoned degree of belief of the expert concerning a parameter, physical state or
occurrence of an event (Hartford and Baecher, 2004). FSA studies typically rely strongly on
expert judgement. Several studies have been published on the elicitation and use of expert
39
judgement (Keeney and von Winterfeldt, 1991; Chhibber et al., 1992; Cooke, 1991; Cooke and
Goossens, 2000).
The following are expert judgement protocols for FSAs (Rosqvist and Tuominen, 2004): (A)
The basic framework for using expert judgement in FSA step 2: Risk assessment follows the
phases of the revised NUREG-1150 expert judgement protocol (Keeney and von Winterfeldt,
1991), i.e. Phase 1: Identification and selection of the issues (i.e. issues brought from the FSA
step 1: Hazard identification); Phase 2: Identification and selection of the experts; Phase 3:
Discussion and refinement of issues; Phase 4: Training for elicitation; Phase 5: Elicitation;
Phase 6: Analysis aggregation, and resolution of disagreements; Phase 7: Documentation; (B)
Quantities subject to expert elicitation should be decomposed using a common risk model (i.e.
Fault Tree model). This amounts to agreeing on a single ‘model-of-the-world’ (Chhibber et al.,
1992). This is related to Phase 3 of the proposed protocol.
The earlier outline of an expert judgement protocol used in this research reflects Rosqvist and
Tuominen’s (2004) experiences from conducting FSA that: (a) specification of a common risk
model avoids the problems related to the aggregation of experts’ judgements based on different
modelling; (b) it is difficult to find track records of expert performance with respect to bias; (c)
it is time-consuming to assess possible dependencies between the experts; (d) sophisticated
expert models, including parameters for bias and dependence (Chhibeer et al., 1992), motivated
for sensitivity analysis as a specification of the parameters are usually not feasible due to lack
of track records; (d) rational consensus (Cooke, 1991; Cooke and Goossesns, 2000) is an
empirical control method for providing credible estimates of risk model parameters based on
experts’ judgements. The practical feasibility of calibrating experts for the elicitation session
is, however, problematic in the case of FSA risk models, with many parameters requiring
different expertise and experts.
Experts’ judgements can be elicited quantitatively or qualitatively. When expressed
quantitatively, they can have several forms: probabilities, ratings, odds, and weighting factors.
Qualitative expression will include a textual description of the experts’ assumptions in reaching
an estimate and natural language statements of probabilities of events such as ‘likely’ or
statements as to the expected performance such as ‘generally poor’ (Hartford and Baecher,
2004). The challenge for an expert is to demonstrate that his/her judgements (revised
judgement) are consistent with all of the information available now as well as consistent with
any previous judgement.
40
2.6.8 Risk control and cost benefit analysis in FSA
There are two methods to control risk, namely preventive approach (to reduce the frequency of
an initiating event), or mitigating option i.e. to reduce the severity of the failure (Bai, 2003).
The actions for controlling risk include applications of engineering and implementation of
procedures. Practical risk control approaches are investigated and their ability to reduce the
risk documented (Bai, 2003). The effect of risk control actions can be determined by repeating
risk analysis and comparing results to the original case. The benefits are the avoidance of
accidents and these can be measured by evaluating the avoidance of harm to people, damage
to property, environment and other costs. To achieve a balance, the benefits of a risk control
measure must be considered and compared to the cost of implementation. This is done through
a cost-benefit analysis (Bai, 2003).
2.6.9 Recommendation for decision making in FSA
Since dry docks generally impose risk on third parties and the environment, it is appropriate
for risk evaluation for dry dock safety to be consistent with approaches to risk evaluation that
are evolving for other societal activities. The risk analysis, risk control and cost benefit
evaluation processes must be comprehensive, fair, transparent, consultative, and defensive
(Hartford and Baecher, 2004). These are the basic principles of FSA, and the application of
these principles depends on the nature of the risk and the objective of the FSA. Those
responsible for making decisions concerning risk should identify the extent to which the above
principles may apply in the risk analysis, risk control, and cost-benefit evaluation process, as
it will vary from owner to owner and is within an owner’s portfolio of risks to be managed
(Harftord and Baecher, 2004). This final step in the FSA is decision making, which gives
recommendations for safety improvements. The selection of risk control options for the
decision making is based on the cost-effectiveness and the principles of ALARP (As Low As
Reasonably Practicable). Intolerable risk shall be controlled regardless of cost. Reasonable –
means that the costs are in gross disproportion to the benefits (Bai, 2003).
2.7 Introduction to Risk Assessment Methods Applied in this PhD
2.7.1 Fault tree – Formal safety assessment
Fault tree analysis (FTA) - Formal safety assessment (FSA) is a technique, either qualitative or
quantitative, by which conditions and factors that can contribute to a specified undesired event
(called the top event) are deductively identified, organised in a logical manner and represented
41
pictorially (Hartford, and Baecher, 2004). The faults identified in the tree can be events that
are associated with component hardware failures, human error or any pertinent event that leads
to the undesired outcome (e.g. dry dock flooding) (Rajiv, and Pooja, 2012).
Starting with the top event, the possible causes or failure modes on the next lower functional
system level are identified. Following the step-by-step identification of undesirable system
operation to successively lower system levels will lead to the desired system level which is
usually the component or element failure mode (Rajiva and Pooja, 2012). FTA starts by
identifying a problem and all possible ways that the problem occurs. Since 1960 the tool has
been widely used for obtaining reliability information about complex systems. In this method,
obtaining minimum cut sets of complex systems is a tedious process.
It is important to note at the outset that FTA-FSA is one of many tools available to the risk
analysis team. In a risk analysis for floating-graving docking systems, various methods will
generally be used to build a logic structure to analyse the expected future performance. As
such, FTA-FSA will simply be one of the methods used. In the course of the risk assessment it
is important to coordinate how the FTA-FSA for a system fits into the overall risk analysis
model (Hartford, and Baecher, 2004). This theme is critical to the risk analysis in general and
to the FTA-FSA in particular and will be repeated throughout this research. Since it presents
an integral part of this research it is important to outline the advantage and disadvantages of
FTA-FSA (Hartford, and Baecher, 2004). In many respects, fault tree construction and model
evaluation is a craft that depends as much on the knowledge and depth of experience of the
analyst as it does on the required sound engineering and scientific analysis techniques
(Hartford, and Baecher, 2004). Building models that are too detailed or too coarse for a
particular application are obvious downsides to any sophisticated tool (Hartford, and Baecher,
2004).
As a result, a premium is placed on experience, particularly when the system to be analysed is
large and complex. Some of the recognised advantages of FTA-FSA include (Hartford, and
Baecher, 2004): (a) it provides a logical and graphical means to model and analyse system
failure modes, even for large systems; (b) it is oriented to identifying system faults that have a
bearing on the undesired event (e.g. system failure); (c) as a modelling technique for assessing
the reliability of systems it is well developed and accepted; (d) it is an efficient tool when it
comes to modelling the potentially large number of events and event combinations that can
42
lead to failure; (e) sophisticated software tools make the job of fault tree construction,
documentation and quantification an efficient and manageable task.
2.7.2 Fault tree – Bayesian network
The application of mapping a Bayesian network from a fault tree is seen in safety analysis of
aerospace, ship vessels, microchip processing software testing and QNX software systems.
Various applications in this section will be extensively analysed, in order to identify existing
gaps and investigate the theories behind FT-BN application. A detailed analysis is conducted
on the particular idioms adopted in each study.
2.7.2.1 Rotor Failure System Analysis
In 2011, Shao et al. (2011) carried out an analysis on the rotor of an aircraft. They saw a rotor
as the most critical component of the aircraft’s mechanical system. Hence, research was
carried out on rotor reliability, with the use of the FT-Bayesian network mapping approach.
Four kinds of common rotor faults were considered: rotor imbalance, thermal bending, bearing
fault, and axis flaw, based on working conditions. A fault tree was constructed, based on
engineering experiences, with 10 bottom events, six gates, and four intermediate events. A
total of 16 events and their corresponding symbols and values were assigned on experience
basis. In quantifying the prior probabilities of the mapped Bayesian network model, an
ASSUME ‘0.02’ value of rotor operating normally was used (meaning there is no obvious
fault by the level of working condition).
A table was constructed to demonstrate the occurrence probabilities of the failures of rotor
imbalance, thermal bending, bearing fault, and axis flow as 0.6%, 0.5%, 5.4%, and 0.3%
respectively. All probability of faults was lower than 5.5%. Based on these values, the
occurrence probability of system fault level P (R) = 6.7%. The value of 6.7% meant the rotor
is working normally and no fault occurred, which was assessed as being the same as
engineering experience (Shao et al., 2011). The conditional probability of working conditions
P(R) = 1, (which means the system fails), led to the posterior probability of basic events or
nodes in Bayesian model (denoted E1-E10) was calculated and E8 (lack of lubricant) gave the
highest posterior probability value of 74.7, hence highlighting the weakest part of the rotor
system.
In conclusion, they used causal reasoning to predict system failure probabilities, showing that
different components have different reliabilities in the rotor system and their corresponding
43
effects on the whole reliability of the rotor system, providing further evidence to support the
use of a Bayesian network to identify weak links. Therefore, this approach supports the strong
reasoning ability of dealing with incomplete and uncertain information in quantitative
computation. This helps locate the weakest link without need for minimum cut sets in FT.
Lastly, various conditional probabilities could be easily calculated for component or system
failure, which is required in reliability analysis.
2.7.2.2 Vessel Oil System Safety Analysis
This analysis was done by Harbin Engineering University, China with the aim of reducing
marine disasters by researching into static electricity of a vessel’s oil system. In this same year,
the aviation industry in China used FT-BN mapping to improve software safety tests. China’s
interest in FTA-Bayesian networks alone encouraged researchers into this approach. Zhuang
et al. (2011) saw a vessel’s oil system as constituting oil compartments, oil pumps, piping, and
related instruments. A fault tree was developed, based on past engineering experiences where
explosion of the vessel’s oil system was assumed as the top event, consisting of eight
intermediate and 17 basic events. Interestingly, unlike Shoa et al. (2011),
Zhuang et al. (2011) used Boolean algebra to determine the minimum cut sets in the fault tree
to develop what they called ‘The Success Tree of vessel’s oil system.’ This approach is usually
relevant when dealing with large systems that cannot be calculated mathematically. The fault
tree had seven minimum path cuts, and, based on these cuts, the structure of importance of
basic events was obtainable, which concluded, based on fault tree analysis, that ‘poor
ventilation’ and ‘reaching its explosion limits,’ were seen as the most important factors leading
to the explosion of the vessel’s oil system. In mapping fault tree to Bayesian network (BN), a
BN model was represented, due to the dimorphic element, which the fault tree could not handle
as a discrete approach. Hence the conditional probability table (CPT) of intermediate events
was calculated based on the dimorphic state. Quantitative analysis was not carried out in this
study, because there were no statistics to obtain probability values of basic events.
2.7.2.3 Modelling using FTA
FTA is a deductive, structured methodology to determine the potential causes of an undesired
event, referred to as the top event. The top event usually represents a major accident causing
safety hazards or economic loss (Lewis, 1994). Building the fault tree is by a basic procedure,
assuming that the top events have occurred and then work backwards to determine the set of
44
possible causes. The necessary preconditions are described at the next level of the tree with
either an ‘AND’ or an ‘OR’ relationship.
From here, the immediate events should be considered as sub-top events and the same process
should be applied to them until all leaves describe events of calculable probability or are
unable to be analysed for some reason. After that, the fault trees are built by the events in the
analysis process of this step (He and Tao, 2011). A typical example is seen in Figure 2.5.
Figure 2.5: Fault tree of system failure Figure 2.6: BN translated for further analysis
The system will fail if both failure 3 and failure 2 occur. Failure 2 will occur if either a failure
at leaf C or a failure at leaf D (or both) occurs. Failure 3 will occur if either failure 1 or a
failure at leaf E (or both) occurs. Failure 1 will occur if both failure at leaf A and a failure at
leaf B occur (Hopps and Developer, 2012). If a failure follows an exponential distribution,
then the likelihood of occurrence of the system failure at time t is expressed in equation 2.1 as
follows: P (t) = 1-e-αt, where α is failure rate (Hopps and Developer, 2012)
Failure rate, ‘α’ = 1/mean time between failure (2.1)
Calculating the system failure of the fault tree developed above, the Boolean gates are
expressed thus: P [SF] = P (F3.F2), P [F2] = P [C+D], P [F1] = P [A.B] = P [A] +P [B]-P
[A.B], if events are independent of each other,where P[X] represents the probability of failure.
F1, F2, F3 are failures 1, 2 and 3 respectively, and SF is the system failure in Figure 1. The
minimum cut sets is calculated: SF=F3.F2, F2=C+D, F3=F1+E, F1=A.B, F3=A.B+E,
SF=F3.F2, SF= (A.B+E). (C+D)SF= ABC+ABD+EC+ED. Four minimum cut sets expressed
can cause the occurrence of the top event, and, by preventing set events from happening,
system failure can be avoided. If, for example, the mean time between the failure of events A,
45
B, C, D, and E is 10,000 hours and the system failure is at, t = 5000 hours, failure rate of each
events A, B, C, D and E is calculated using equation 2.1:
Failure rate, α, = 1/10,000 = 0.0001, P (A, B, C, D, E) = 1-e-αt = 1-e-0.0001x5000 = 0.39
The value 0.39 follows an exponential distribution. The occurrence probability of top event
system failure (SF) can be calculated using absorption laws in fault tree quantitative analysis
P [SF] =P [ABC + ABD +EC +ED]
U V
P [SF]= P [U + V] = P [U]+P [V]-P [U.V]
P [SF]= P [ABC+ABD]+P [EC+ED]-P [(ABC+ABD) (EC+ED)]
W X Y Z
P [W+X] = P [W] +P [X]-P [W.X], P [ABC+ABD] = P [ABC] +P [ABD]-P [ABC ABD] = P
[ABC] +P [ABD]-P [ABCD] =0.39x0.39x0.39+0.39x0.39x0.39-[0.39x0.39x0.39x0.39] = 0.095
P [Y+Z]= P [Y]+P [Z]-P [Y.Z]
P [EC+ED] = P [EC]+P [ED]-P [EC ED]
= P [E] P [C]+P [E] P [D]-P [C].P [D]. [E] = 0.245,
Therefore, P [W+Y] = 0.095+0.245–P [ABCEC+ABCED+ABDEC+ABDED] = 0.095+0.245 –
[ABCE+2ABCDE+ABDE] = 0.095+0.245-0.064 = 0.276. Conversely, if data available shows that
the system failed once over a 12-month period, using equation 2.2;
P =αxΩ-1 (2.2)
1 failure/365 days (1failure/day)-1 = 0.27%
The value 0.276 means the system fails once in a 12-month period. Where the system fails
twice every year, the probability of failure (P) of the top event is 0.54% using equation 2.2.
Using the FT + software available, ‘0.27’ failure rate of the top event is obtained using the
same values of basic events’ failure rates. This trivial system is represented in Figure 2.6; the
minimum cut sets can be calculated as E, C, E, D, A, B, C, A, B, D but for realistic
trees, computer programs are needed to identify minimum cut sets.
2.7.2.4 Bayesian network
The Rev. Thomas Bayes published his famous theorem in the 18th century. If belief can be
identified with probability, then the theorem allows reasoning from effect to cause as follows:
if E was true then H would result. H is actually true. This increases my belief in E by a certain
46
amount. Clearly, depending on a priori unlikeliness of E, the amount by which E increases the
belief may be very small or quite large. For example, if two events ‘e’ and ‘h’ are considered
where event ‘e’ is the influenced node and event ‘h’ is the influencing node, the Bayes’
theorem P (e) is the prior or marginal probability of e, P (e/h) is the conditional probability of
e given h, P (h/e) is the conditional probability of h given e and P (h) is the prior or marginal
probability of h. More formally, given a hypothesis ‘h’ and some evidence ‘e’, Bayes' theorem
states that (Hobbs and Developer, 2012):
P (h/e) = P (e/h) P (h) (2.3)
P (e/h) P (h) + P (e /¬ h) P (¬ h)
Where P (X|Y) is the probability that X occurs given that Y has occurred and ¬X means “not
X”. As a trivial example, assume that: ‘h’ is the hypothesis that “It is raining at the moment”.
‘e’ is the evidence that “I have just seen Chris with his umbrella”. A node is generally drawn
as an oval or circle, representing the variable or event. The arc is generally a straight line with
an arrow head illustrating the direction of the link from the source node, often called the
‘parent node’, to the target node, often called the ‘child node’, as in Figure 2.7, which
represents a simple BN consisting of events e, and h.
Figure 2.7: CPT for a simple BN structure
The CPT of parent ‘h’ has two states, namely h1 and h2, together with probabilities P (h1), P
(h2). The CPT of event ‘e’ has two states, e1 and e2, but the states are influenced by event ‘h’.
Bayesian networks allow for this difference in failure information by accepting evidence for
the failure rate of any node, then using Bayes' theorem to calculate the ‘posteriori’
probabilities of the failure rates of the sub-elements, reasoning from effect to cause. Chris
carries his umbrella 60% of the time when it is raining [P (e/h) = 0.6]. Chris carries his
umbrella 30% of the time when it is not raining [P (e/ ¬ h) = 0.3]. In the area where Chris
lives it rains 20% of the time [P (h) = 0.20].
This is known in the literature as the ‘prior’ probability because it is a measure of the
probability of the hypothesis before any evidence is considered. Given these values, a person
observing Chris in the street with his umbrella can calculate the probability that it is raining
h1 P(h1)
h2 P(h2)
h1 h2
e1 P(e1/h1) P(e1/h2)
e2 P(e2/h1) P(e2/h2)
Parent
Child
47
(Hobbs and Developer, 2012) using equation 2.3 expressed as: (0.6 x 0.2)/ (0.6 x 0.2) + (0.3
x 0.8) = 0.33. This theorem forms the basis of BN modelling. It is therefore a directed acyclic
graph (DAG) that encodes a conditional probability distribution (CPD) at the nodes of the
basis of the arcs received to form an equivalent conditional probability table (CPT). From an
engineering analysis point of view, given a ‘ship engine’ that requires ‘oil’ for lubrication and
‘water’ for cooling, three nodes can be constructed with engine as child node and coolant pipes
and oil pumps as parent nodes.
Coolant pipes have two states, either ‘leak’ or ‘no leak’; oil pumps states are ‘fail’ or
‘working’; and engine states are ‘fail’ or ‘running’. A visual representation of nodes and
events that can represent this analysis is presented in Figure 2.8.
Figure 2.8: CPT for Engine, coolant hose and oil pump
Parent nodes are given prior probability and child is given posterior probability. This shows
30% that the coolant pipe will leak and 70% that there is no leak. Similarly, the probability of
the oil pump failing or working is 50% from historical failure data, age of the component, and
relevant variables. Adopting a chain rule, the nodes, ‘coolant pipe’ and ‘oil pump’ are termed
‘Q’ and ‘T’ respectively, and the ‘engine’ is termed ‘S’. Sf signifies state ‘engine fails’. The
probability of ‘engine failure’ using equation 2.2 can be calculated as:
P (Sf) = ∑ .2i=1 ∑ p(C1QT)p(Qi)p(Tj)2
j=1 (2.4)
Event modelling can also be carried out by using the Hugin software which gives the same
results (0.56) as calculated mathematically using equation 2.4.
P(engine fail)= P(oil fail) x P(coolant leak) x P(prior engine fail)+P(oil fail)x(coolant no leak)x
P(prior engine fail)+P(oil work)x(coolant leak)x P(prior engine fail)+P(oil work)x(coolant no leak) x
P(prior engine fail)
= 0.5 x 0.3x 1+0.5x 0.7x 1+0.5 x 0.3 x 0.3 + 0.5 x 0.7 x 0.05= 0.56%
Leak 30.0 fail 50.0
No leak 70.0 working 50.0
Oil fail working
Coolant leak No
leak
leak No
leak
Fail 100 100 30 5
Running 0.0 0.0 70 95
Coolant
hose
ENGINE
Oil
pump
48
2.7.3 Fuzzy set theory and evidential reasoning
The fuzzy philosophy states that everything is a matter of degree: a world of multivalence, the
opposite of which is bivalence. Positivism demands evidence, factual or mathematical. Based
on binary logic it comes down to law: A or not -A – it cannot be both A and not -A (Fellow and
Liu, 2008). Fuzzy logic is reasoning with fuzzy sets. A fuzzy cognitive map is a fuzzy causal
picture of the world and a fuzzy system is a set of fuzzy rules that converts inputs into output.
Fuzzy is a mathematical formalisation which enables representation of degrees of membership
of members in sets (Fellows and Liu, 2008).
There are various techniques of fuzzy logic such as ‘discrete’ (Godaliyadde et al., 2010; Wang
et al., 1995 and Yang et al., 2005) ‘continuous fuzzy sets’ (Mukaidono,, 2001; Koa et al., 2007
and Ung et al., 2006), and ‘fuzzy rule base’ (Yang et al., 2006; Kowalewski et al., 2007 and
Yang et al., 2009) that have been used in risk assessment in the maritime industry. According
to Nwaoha et al. (2012) the ‘discrete fuzzy set’ is preferred due to its simplification. Discrete
fuzzy set also helps to define fuzzy rule base more easily. This section presents the background
of discrete fuzzy set associated with failure likelihood, consequence severity and failure
consequence probability. The fuzzy set representation are Nwaoha et al. (2012):
Si = Cs o FCP x FL (2.6)
This is represented in terms of membership functions µ, as follows
Siµ = Csµ o FCP
µ x FLµ (2.7)
where, Si is the Risk/safety score of the ith event FCP is the Failure consequence probability. FL is
the Failure likelihood probability. O is the Fuzzy composition operation. X is the Fuzzy Cartesian
product operation. Cs is the Consequence severity (Nwaoho et al., 2012). Expressing linguistic
parameters in terms of membership functions, Csµ is the description function of Cs in terms of
the membership degree of µ (1, 2, 3, 4, 5, 6, 7) associated categories in Table 2.2. FCPµ is the
description function of FCP in terms of the membership degree of µ (1, 2, 3, 4, 5, 6, 7)
associated categories in Table 2.3. FLµ is the description function of FL in terms of the
membership degree of µ (1, 2, 3, 4, 5, 6, 7) associated categories in Table 2.4. Siµ means the
description function of Si in terms of the membership degree µ (1, 2, 3, 4, 5, 6, 7) associated
categories are obtained using a max-min method based on equation 2.7 (Nwaoho et al., 2012)
Failure likelihood describes the failures’ frequencies in a certain time, which directly
represents the numbers of failures anticipated during the design lifespan of a particular system
49
or an item. Linguistic variables for Table 2.2 are defined thus: very low (VL), low (L),
reasonably low (RL), reasonably frequent (RF), frequent (F) and highly frequent (HF), per
shipyard year (PYS) and definite variable (E).
Table 2.2: Failure Likelihood (Nwaoho et al., 2012)
Consequence severity describes the magnitude of possible consequences, which is ranked
according to severity of the failure effects. Its variables are described in Table 2.3 as negligible
(N), marginal (MA), moderate (MO), critical (CR) and catastrophic (CT).
Table 2.3: Consequence Severity (Nwaho et al., 2012)
F Definition Linguistic Variable Membership sets Category
Csµ
1 2 3 4 5 6 7
N Minor injury or unscheduled docking
required
1 0.75 0 0 0 0 0
MA Multiple injury,
operations interrupted
marginally
0 0.25 1
0.75
0 0 0
MO Multiple injury,
operation and production interrupted
0 0 0.75
0.25
0.25 0 0
CR Single dead, high
degree of operational interruption
0 0 0
0.75
1
0.25
0
CT Multiple deaths,
total system loss
0 0 0 0 0 0.75 1
Failure consequence probability is the probability that ensued consequences given the
occurrence of the event where the linguistic terms described in Table 2.4 are highly unlikely
(HU), unlikely (U), reasonably unlikely (RU), likely (L), reasonably likely (RL), and definite
(D).
F Definition PSY
Linguistic Variable Membership sets Category FL
µ
1 2 3 4 5 6 7
VL
Likely to occur once per year in the
floating dry dock
0.1<E 1
0.75
0 0 0 0 0
L Likely to occur once in the life in
all the floating dry docks
0 0.01<E<0.1 0.25 1
0.75
0 0 0 0
RL
Likely to occur 10 times per year in floating dry dock
0.1-2<E<0.1-1 0 0 0.25
1 0.75
0 0
A Likely to occur once per year for all
floating dry docks
0.1-3< E<0.1-2 0 0 0.5 1
0.5
0 0
RF
Likely to occur one time in 10 years
for all floating dry docks
0.1-4 <E <0.1-3 0 0 0
0.75
1 0.25 0
F Repeated failure E= 0.25-1 0 0 0 0
0.75
1
0.25
HF
Failure is almost inevitable E> 0.25-1 0 0 0 0 0 0.75 1
50
Table 2.4: Failure Consequence Probability (Nwaoho et al., 2012)
F Definition Linguistic Variable Membership sets Category
FCPµ
1 2 3 4 5 6 7
HU HU given occurrence of failure
event (extremely unlikely to exist)
0 0 0 0 0
0.75
1
U U but possible given occurrence that the failure event happens
0.25 1 0.75 0 0 0 0
RU RU given the occurrence of failure event 0 0.25 1 0.75 0 0 0
L L given that failure event occurs and no detection
0 0 0.5 1 0.5 0 0
RL RL given occurrence of failure event from
time to time due to operational
weaknesses or design weakness
0 0 0 0.75 1
0.25
0
HL HL given occurrence of failure event due to highly likely potential hazardous
situation
0 0 0 0 0.75 1 0.25
D Possible consequence given the occurrence of a failure event repeated
during operations
0 0 0 0 0 0.75 1
Table 2.5 describes the membership expression as poor (P), average (AV), good (G) and
excellent (E).
Table 2.5: Safety Membership (Nwaoho et al., 2012)
In better understanding the membership expression for poor in Table 2.5, P [0, 0, 0, 0, 0, 0,
0.75, 1] with a more expressive failure likelihood VL [1, 0.75, 0, 0, 0, 0, 0, 0, 0] in Table 2.5,
the safety expression poor can be incorporated into the appropriate safety score. A membership
expression of [‘1’/1, ‘2’/0.75, ‘3’/0, ‘4’/0, ‘5’/0, ‘6’/0, ‘7’/0 ] (Sip) can be expressed:
Sip = CsCT o FCP
D x FLHF (2.8)
The safety expression for average, good and excellent is likewise expressed. Using the best fit
method, the safety risk description Si of the ith basic event can be mapped back to one (or all)
of the defined four safety expressions in this study (Wang et al., 1998, Nwaoho et al., 2012).
The method uses the distance between Si and each of the safety expressions to represent the
Siµ Categories
1 2 3 4 5 6 7
P
0
0 0 0 0 0.75 1
A
0
0 0 0.5 1 0.25 0
G
0
0.25 1 0.5 0 0 0
E
1
0.75 0 0 0 0 0
51
degree to which Si is confirmed to each of them. An illustration is given when using safety
expression poor,
Di1 (Si, poor) = 2/1
7
1
2
j
j
poori
j
S (2.9)
When the unscaled distance Di1 (j=1, 2, 3, 4) is equal to zero, Si is just the same as the jth safety
expression in terms of membership functions. In such a case, Si should not be evaluated to
other expressions (Nwaoho et al., 2012).
Because of this DiJ (1<J<4) is introduced and defined based on Dij for any given distances for
Si is used to calculate αi. In order to more clearly express the safety level of Si the reciprocals
of the relative distances between Si and each safety expression, Dij, expressed as αij are
normalised into new indexes βij (j=1,2,3,4). αij can be defined in relation to the distance as:
αij = 1/ Dij/ (DiJ ) j = 1, 2, 3, 4 (2.10)
If Dij is equal to zero, it follows that βij is equal to 1 and the others are equal to 0. In other
situations, βij can be expressed as:
βij = αij/∑ αij4m=1 j= 1,2,3,4 (2.11)
Each βij (j=1,2,3,4) represents the extent to which Si belongs to jth defined safety expression.
Mapping back to safety expression output (SO) implies:
SO (Si) = [(βi1, ‘P’), (βi2, ‘AV’), (βi3, ‘G’), (βi4, ‘E’) (2.12)
The fuzzy approach offers alternatives to positivism (Eleye-Datubo, 2006; Kosko, 1965 and
Zadeh, 1965). The real applications are not as simple; sometimes an understanding of
mathematics is required. The applications of fuzzy theory to economics, the social science,
management, psychology and other areas have been published so far. In these applications
there are some common approaches in uncertain environments, fuzzy modelling, and uncertain
structure identification and decision making which is a topic in operations and research
(Zimmerman, 2001). It is worth noting that the limitations of discrete fuzzy set manipulation
led to development of fuzzy rule base and evidential reasoning to be highlighted later in this
Chapter.
52
2.7.4 Evidential reasoning
The application of the ER approach was illustrated by Nwaoho et al. (2012). They carried out
an illustrative application of fuzzy set theory to failure modes modelling uncertainty treatment
of a LNG spherical moss tank design. The first part of their study included a hazard
identification process using a brainstorming technique on various causes of events in LNG
moss design tankers using a fault tree analysis diagram. The second part of their illustration
was risk assessment, where risks associated with failure modes are assessed. This is the most
detailed part which includes gathering subjective language from experts on the three risk
parameters in the study and applying Fuzzy evidential reasoning (FER) mathematics to obtain
a crisp value of risk of each base event (Eleye-Datubo, 2006).
Twelve (12) base events were identified and the overall safety expression of the top event was
estimated to be ‘poor’. This implies that the three risk control options – regular inspection,
training of crew, and effective maintenance – needed to be re-enforced to improve safety. In
conclusion, FER was proven once more as an outstanding method for an effective risk
estimation and control of hazards in marine engineering structures using a fuzzy set logic/or
fuzzy rule base and evidential reasoning in applications where there is lack of data. The next
section presents the mathematics of FER (Eleye-Datubo, 2006).
Once the safety output is obtained from the basic event using equation 2.12 and expressed in
its corresponding safety expression output (SO), then it is important to access a situation where
two multi-national experts are involved. This section seeks first to establish the mathematics
of using ER with two experts where there is no software. In this study care is given to how
equation 2.21 is derived. Where more than three experts are involved the software is required
to be used; nonetheless, the safety expression aggregated can be transformed to its crisp value.
The mechanism of ER can be explained using the aggregation of two safety assessments.
Suppose the two safety assessments are denoted βjSij and expressed (Nwaoho et al., 2012):
βjSi1 and βj
Si2 represent,
the extent to which the safety assessments of two basic events, Si1 and Si2, are confirmed to jth
safety expression. Suppose the relative weights for SO (Si1) and SO (Si2) are w1 and w2. The
relative weights of SO (Si1) and SO (Si2) are normalised using the expression as follows:
∑ 𝑤2𝑘=1 k = 1: 0 ≤ wK ≥ 1 (2.13)
53
For SO (Si1) and SO (Si2), their probability masses Si1m and Si2m are expressed as follows:
Si1m = w1 βjSi1 and Si2m = w2 β
jSi2, m = 1, 2, 3, 4 (2.14)
Meanwhile, the following can be obtained S^ i1H = 1- w1 = w2 and S^ i2H = 1- w2 = w1 :
Sǫ i1H = w11-∑ βj
Si12𝑘=1 = w1 [1-(β1
Si1+ β2Si1+ β3
Si1+ β4Si1)]
Sǫ i2H = w21-∑ βj
Si12 𝑘=1 = w2 [1-(β1
Si2+ β2Si2+ β3
Si2+ β4Si2)] (2.15)
Sǫ i1H and Sǫ
i2H represent the degree to which other basic events can play a role in the
assessment. S^ i1H and S^ i2H are the individual remaining belief values unassigned for SO (Si1)
and SO (Si2) respectively. Si1H = S^ i1H + Sǫ i1H and Si2H = S^ i2H + Sǫ
i2H where Si1H and Si2H
represent possible incompleteness in the subsets SO (Si1) and SO (Si2). The combined
probability masses, Si1m and Si2m, and Si1H and Si2H are as follows:
Sim = K (Si1mSi2m + Si1mSi2H + Si2mSi1H) (2.16)
SiH = K (Si1H Si2H), m = 1, 2, 3, 4 (2.17)
K= 1- ∑ ∑ SiASi2B4𝑅=1
4𝑇=1 -1 (2.18)
The combined degree of belief (Tm) can be calculated as follows:
Tm = Sim/(1- SiH), m = 1, 2, 3, 4, (2.19)
To rank the ‘very high’ risk hazards, the crisp values of their safety descriptions can be
calculated as follows:
Qi = ∑ Tm 4𝑚=1 x Pm (2.20)
P1 = P14/ P
11, P2 = P1
3/ P11, P3 = P1
2/ P11, P4 = 1
P11, P
12, P
13, P
14 represent the unscaled numerical values associated with the linguistic terms
(i.e. poor, average, good and excellent) of the safety expression. P11, P1
2, P1
3, P14 can be
calculated as follows (Nwaoho et al., 2012):
P11 = [0.75/(0.75+1)]6 + [1/(0.75+1)]7 = 6.571, P1
2 = [0.5/ (0.5+1+0.25)]4 + [1/0.5+1+0.25]5 +
[0.25/(0.5+1+0.25)]6 = 4.854, P13 = [0.25/0.25+1+0.5]2 + [1/0.25+1+0.5]3 + [0.5/(0.25+1+0.5)]3
+[0.5/(0.25 + 1 + 0.5)]4 = 3.141, P14 = [1/1(1+0.75)]1 + [0.75/(1+0.75)]2 = 1.428.
54
Substituting the values of P11, P
12, P
13, and P1
4 in equation 14 yields:
Qi = 0.271 x T1i + 0.478 x T2
i + 0.739 x T3i + 1.0 x T4
i (2.21)
2.7.5 Fuzzy rule base
With the purpose of modelling more general, complex decision-making problems under
uncertainty, the belief rule idea was proposed by considering a belief distribution in a
conclusion (belief degree), the relative weight of the rule (rule weight) and the relative weight
of an antecedent attribute (attribute weight). Mathematically, a belief rule base (BRB) which
captures the dynamic of a system consists of a collection of belief rules and the fuzzy inference
system (FIS) is defined as follows (Yang et al., 2006):
Rk : IF x1 is A1k ˄ x2 is A2
k……..xTk is ATkk THEN (D1, β1k), (D2, β2k),…. (DN, βNk) (2.22)
With a rule weight θk and attribute weight δk1,δk2, ……. δKTk, where x1, x2, ……. xTk represents
the antecedent attributes in the kth rule Rk, Aik ( i = 1,2…, Tk, k = 1,2…L) is the referential
value of the kth rule Rk, Aik ∊ Ai, Ai = Aij, j = 1,2,….Ji is a set of referential value, θk (∊ R+,
k = 1,2,…L) is the relative weight of the kth rule Rk,, δk1,δk2, …. δKTk are the relative weights of
the Tk antecedent attributes used in the kth rule Rk, and βik (i=1,2…,N, k = 1,2….,L) is the
belief degree assessed to Dj which denotes the jth consequent. If ∑ .Tk
i =1 βik = 1, the kth rule RK is
said to be complete; otherwise, it is incomplete. Note that “˄” is a logical connective to
represent the “AND” relationship. In addition, suppose that T is the total number of antecedent
attributes used in the rule base.
2.7.5.1 Belief rule-based inference
Given an input to the system, U(t) = Ui(t), i = 1,2…, TK, how can the rule-base be used to
infer and generate the output? As mentioned earlier, Tk is the total number of antecedents,
which can be one of the following types (Yang et al., 2006): continuous, discrete, symbolic
and ordered symbolic. Before the start of an inference process the matching degree of input to
each referential value in the antecedents of a rule needs to be determined so that an activation
weight for each rule can be generated.
This is equivalent to transforming an input into a distribution on referential values using belief
degrees and can be accomplished using different techniques such as the rule or utility-based
equivalence transforming techniques (Yang, 2001, and Yang et al., 2007). Using the notations
provided above, the activation weight of the kth rule Rk, wk, is calculated as (Yang et al., 2006):
55
Wk = θkak
∑ θiai Li=1
(2.23)
where ak is called the normalised combine matching degree. This reflects the individual
matching degree to which the input matches its referential value Aik of the packet antecedent
Ak in the kth rule Rk and aki ≥ 0 and ∑ .Tk
i =1 aki ≤ 1. In BRB it can be generated using various ways
depending on the different types of input information. In Yang’s (2001) paper, an important
technique, i.e. rule based information transformation technique, was proposed to deal with the
input information that includes qualitative assessment and quantitative data. This paper gives
a detailed overview for quantitative data.
2.7.5.2 Rule based FIS using belief structure
In this section, the FIS structure is described in the proposed framework. In many applications,
the knowledge that is used to make the rules in an FIS is uncertain. The uncertain rules can be
generated by experts or from training datasets. In the design of rule-based systems, ignorance
may occur owing to weak implications of experts in assigning a certain relation between
antecedents and the consequents (Yang et al., 2006). In this case, different antecedent attributes
indicating the inputs of the FIS are defined using linguistic variables. The uncertainty in the
relationship of different attributes and consequent terms can be represented while the
vagueness in the consequent grades is modelled through fuzzy focal elements (Aminravan et
al., 2011) as presented in Figure 2.9.
Figure 2.9: The schematic of belief structure FIS
Generally, inference by human beings (i.e. subjective assessment) is based on an implication
of a small numbers of features. Most rules that an expert provides are nonlinear mappings of
the attributes, characterised by linguistics terms, to the consequent basic probabilities. The
nonlinear mapping in a rule-based FIS is modelled using fuzzy implications. As in the proposed
belief structure, this models more facets of uncertainty compared to classic FIS; the subjective
knowledge can be expressed with a higher number of rules (i.e. more uncertainty mappings
FCP
CS
FL
kth
h
Fuzzy composition
FDST combination
Wk
Aik
Rk
56
from the antecedent to the consequent space). Hence, a challenge in a belief structure FIS is
dealing with the higher computational overhead compared to classic FIS engines (Aminravan
et al., 2011). The proposed FIS engine uses a mathematical manipulation inference procedure
to determine the firing strength of each rule. Different weights for each antecedent attribute
and each rule are considered. To account for the importance of each attribute, the rule
combination and defuzzification are followed by the classic pattern of an FIS. The rule
combination on activated rules can be represented as a distributed assessment or can be the
input to another FIS engine (Aminravan et al., 2011).
To properly represent real-world knowledge, fuzzy production rules have been used for
knowledge representation to process uncertain, precise and ambiguous knowledge (Chen,
1988, Liu et al., 2012). Another kind of uncertainty exists when a strong correlation between
premise and conclusion cannot be established. That condition means the evidence available is
not adequate, or experts do not support a hypothesis totally but only to a degree of belief (Liu,
et al., 2013).
2.7.5.3 Rule weight
The effect of rule weights in the rule-based classification system have been considered by
previous researchers (Ishibuchi and Yamamoto, 2001, 2005). Some rule-based classification
systems do not assign different weights to the rules. In most cases with this condition, the
membership of different levels of attributes is extracted from datasets (Ishibuchi and
Yamamoto, 2001). Thus, the membership is modified using the training data to compensate for
assigning the same weights to all rules. Adjusting the membership can result in lower
comprehensibility of the rule-based system. As a solution, some approaches use constraints to
compromise between accuracy and comprehensibility of the FIS. However, where real training
data is not available, memberships and rules are defined using expert knowledge. A rule weight
approach in this case can improve the accuracy of FIS (Ishibuchi and Yamamoto, 2001).
2.7.5.4 Attribute weight
The attribute weights are assigned based on expert opinion presented on a comparison non-
linear matrix and will remain fixed in the proposed FIS. In general, a feature in antecedent
space can be a fuzzy piece of evidence. It can be a crisp (singleton) input but most of the time,
due to the unreliable nature of input data, they may better be represented by a fuzzy
57
membership which conveys the dispersion of information or an equivalent concept of the
distribution of the feature (Ishibuchi and Yamamoto, 2001).
2.7.5.5 Fuzzy logic systems and their properties
A fuzzy logic system consists of four components as shown in Figure 2.10: fuzzy rule base,
fuzzy interference engine, fuzzifier, and defuzzifier. Fuzzy rule base A fuzzy knowledge/rule
base consists of a set of fuzzy IF-THEN rules. It is the core of a fuzzy logic system in the sense
that all other components are used to implement these rules in a reasonable and efficient
manner. Human knowledge has to be represented in the form of the fuzzy IF-THEN rules. The
three major properties of fuzzy rules are outlined as follows: (1) A set of fuzzy IF-THEN rules
is consistent if there are no rules with the same IF parts but different THEN parts; (2) A set of
fuzzy IF-THEN rules is continuous if there do not exist such neighbouring rules whose THEN
part fuzzy sets have empty intersections (Eleye-Dutaba, 2005).
Figure 2.10: An overview of the safety model using a fuzzy rule base approach (Eleye- Dutaba, 2005)
Fuzzy inference engine:In a fuzzy inference engine, fuzzy logic principles are used to combine
the fuzzy IF-THEN rules in the fuzzy rule base into a mapping from a fuzzy set.
Fuzzifier: The fuzzy interference engine combines the rules in the fuzzy rule base, and then it
carries out a mapping from one fuzzy set to another. Owing to the fact that in most applications
the input and output of the fuzzy system are real-values numbers, we must construct
interferences between the fuzzy inference engine and the environment. A fuzzifier is defined as
a mapping from a real-valued point to a fuzzy set. The fuzzifier should consider the fact that
the input is at the crisp point. The fuzzifier should help to simplify the computations involved
in the fuzzy inference engine.
Risk analysis
parameter inputs
Fuzzifier Fuzzy inference
engine
Defuzzifier
Risk analysis
results
Fuzzy rule base
Data collection analysis Data collection analysis
Other information
58
Defuzzifier: The defuzzifier is defined as a mapping from fuzzy set (which is the output of the
fuzzy inference engine) to a crisp point. Conceptually, the task of the defuzzifier is to satisfy a
point that best represents the fuzzy set. This is similar to the mean value of a random variable.
There exist a number of choices in determining this representing point such as the ‘centre
average defuzzifier’, which is the most commonly used defuzzifier in fuzzy systems.
2.7.5.6 Establish experts real-valued hazard data
Anticipated and identified causes or factors related to technical failure of a floating dry dock
system operation are collected for multiple attributes and experts’ knowledge. As related to the
experts’ interpretation, their crisp values are then entered from database knowledge for the
obtained parameters. The inputs are directed into a process that determines the degree to which
they belong to each of the appropriate fuzzy sets via membership functions (MFs). The
algorithm uses either symmetric, singleton, rectangular, triangular or trapezoidal MFs,
uniformly distributed by each universe of discourse (Ishibuchi and Yamamoto, 2001).
2.7.5.7 Fuzzy input set to extract rules
The next step is to take inputs and determine the degree to which they belong to each of the
appropriate fuzzy sets via membership functions. Based on the Aik i=1
N (fuzzy sets in Ui α R),
which denotes the value of input linguistic variables xi i=1N (conditions), rules can be
extracted for the antecedent such as ‘x1 is Aik and ……….. xN is AN
k. Thus, the membership
value associated with the input x1 is Aik (Eleye-Dutaba, 2005).
2.7.5.8 Extraction of rules from input fuzzy sets and fuzzy rule base
Based on the input fuzzy variables, rules can be extracted from the antecedent/premise, which
is denoted as ‘x is A’. Moreover, each given rule has more than one part in a BRB system; fuzzy
logical operators of ‘AND’ or/and ‘OR’ are applied to evaluate the composite function firing
strength of the rule. Once the inputs have been fuzzified, the degree to which each part of the
antecedent has been satisfied for each rule is recognised (Eleye-Dutaba, 2005).
If a given rule has more than one part, the fuzzy logical operators are applied to evaluate the
composite firing strength of the rule. Fuzzy relations play an important role in fuzzy inference
systems. Fuzzy relations use notions from crisp logic. Concepts in crisp logic can be extended
to fuzzy relations by replacing 0 or 1 values with a fuzzy membership value. A singleton fuzzy
rule that assumes the form ‘if x is A, then y is B, where x € U and y € B is called the “consequent
59
conclusion” (Eleye-Dutaba, 2005). Interpretation of a fuzzy rule base rule involves two distinct
steps. The first step is to evaluate the antecedent, which involves fuzzifying the input and
applying necessary fuzzy operators. The second step is implication, or applying the result of
the antecedent to the consequent, which essentially evaluates the membership function (Eleye-
Dutaba, 2005).
2.7.5.9 Evaluation of rules for output fuzzy set
To produce safety evaluation for each cause of a technical failure at the bottom level of a
hierarchical system, the consequence/conclusion as denoted by ‘y is B’ is formed for the output
fuzzy variable in the system. Its output set can be defined using fuzzy safety estimate sets in
the same way as the fuzzy inputs (Eleye-Dutaba, 2005). The implication method of the
minimum or the product then shapes the output membership functions on the basis of the firing
strength of the rule. This input for the implication process is a single number given by the
antecedent, and its output is a fuzzy set (Eleye-Dutaba, 2005).
2.7.5.10 Aggregation and de-fuzzification
Aggregation is a process whereby the outputs of each rule are unified. Aggregation occurs only
once for each output variable. The input to the aggregation process is the truncated output fuzzy
sets returned by the implication process for each rule. The output of the aggregation process is
the combined output fuzzy sets. The input of the aggregation process is the list of truncated
output functions returned by the implication process of each rule (Aminravan et al., 2011).
The output of the aggregation process is one fuzzy set for each output variable. As this method
is always commutative, the order in which the rules are executed is not important. The max
(maximum) method is applied to the aggregation of consequent, ‘y is B’, across the rules. The
normalisation is required to make the sum of weights equal to 1 (Eleye-Dutaba, 2005).
This is achieved by dividing each membership value in the fuzzy conclusion set by the sum
total of all membership values in the set. Defuzzification is used to obtained a single number
output; the input for the process is a fuzzy set (the aggregated output fuzzy set), and the output
of the defuzzification process is a crisp value obtained by using a defuzzification method such
as the centroid, height, or maximum (Aminravan et al., 2011).
60
2.8 Problems in Application of FSA in Dry Docking Industry
In the application of FSA in the floating-graving docking system some problems are
encountered similar to applying FSA in the ship navigational system (Hu et al., 2007). Firstly,
for many years, the statistical data associated with dry docking accidents is customarily based
on laws and regulations on the statistics of water-traffic accidents. The classification of the
ships and the power of their main engine, the number of deaths and the direct economic losses
are considered as the main standards in ranking the shipping-dry docking accidents. Another
problem is that there are certain disadvantages in achieving management in a time span, so that
it is difficult to obtain the accurate statistics of the consequences of accidents. How to determine
new models of risk consequences with the help of the accident ranking records?
Secondly, case statistics and analysis are the basic tasks in FSA. It can make preliminary
analysis and assessment of ‘what would go wrong’ before the occurrence, but the key point of
analysis is how to make full use of recorded dry docking evolution cases. However, in this kind
of analysis, it is inevitable to encounter the problem of the quantity of case-statistics samples,
and the accuracy of the result of the generic model based on a few samples is doubtable. To
obtain more accurate assessment results, which can be frequently quoted, it is necessary to
build another type of risk-assessment model.
Thirdly, the statistical span of the generic model is great, and the risk levels of research subjects
in the analysis are quite intensive because of various restrictions, so it is not easy to collect
detailed quantity data of docking activities so as to effectively identify the main risk problems.
In order to show the frequency and severity of the main hazardous events in a Poisson process,
it is necessary to build a relative risk-assessment model to better understand the construction
and influential factors of risks. Lastly, although the generic model takes ‘frequency’ and
‘severity’ into consideration, it is necessary to consider ‘obligated severity’ in the detailed
analysis of the research subjects, such as the proportion of each research subject on the
obligation of faults in occurrences of accident.
2.9 Justification of Research
A floating-graving structure is a complex and expensive engineering structure composed of
many systems and is usually unique with its own operational characteristics (Wang and Ruxton,
1997). These structures need to adopt new approaches, new technology, and to new hazardous
situations, and each element brings with it a new hazard in one form or another. Therefore,
61
safety assessment should cover all possible areas including those where it is difficult to apply
traditional safety assessment techniques. Such traditional safety assessment techniques are
considered to be mature in many applications. Depending on the uncertainty level/the
availability of failure data, appropriate methods can be applied individually or in combination
to deal with the situation. All such techniques can be integrated in the sense that they formulate
a general structure to facilitate risk assessment and FSA (Pillay and Wang, 2002). When
dealing with floating-graving system risk analysis, it is clear (see Section 2.6.5) that FTA,
HAZOP, FMEA, PNs and MCS techniques cannot be easily implemented since such
techniques need the frequencies of hazardous situations to be usually estimated based on
historical failure data. Almost invariably, failures are assumed to be random in time; that is,
the obtained number of failures is divided by an exposure period to give a failure rate and this
is assumed to be age-dependent (Wang and Trbojevic, 2007).
Using common sense it can be seen that, many modes of failure are more common in the earlier
or later years of the life of a component or a system. Even with high-quality data, sample sizes
are often small and statistical uncertainties are relatively large. Lack of reliable safety data and
lack of confidence in safety assessment have been two major problems in the safety analysis
of various engineering activities. To solve such problems, further development may be required
to develop novel and flexible safety assessment techniques for dealing with uncertainty
properly and also to use decision-making techniques on a rational basis (Pillay and Wang,
2002).
Again, the challenging task of assigning probability values, for instance for use in a FTA, has
attracted a lot of attention and discussion. These flexible safety assessment techniques advocate
that branch probabilities can be estimated in one of four ways or in a combination of the
following (Hartford and Baecher, 2004): (a) engineering model based on physical processes;
(b) fault tree analyses based on logical constructions; (c) judgements by experts; and (d)
statistical estimates based on empirical data. Statistical estimates are characterisations or
summaries of past observations.
Engineering models are constructed based on reasoning from first principles of physics.
Uncertainties in the model parameter values and in the model itself are propagated through the
calculations to establish probabilities that the floating-graving docks can fail to carry out their
operations properly. Fault trees differ from engineering models in that they model the logic of
a system rather than the physics of the system. Judgement is based on experts’ intuition and
62
reasoning which reflects a base of knowledge and evaluated experience. Collective judgements
of experts, structured within a process of debate, may yield as good an assessment of
probabilities as can be obtained by mathematical analyses. Some might claim a better
assessment (Vick, 2002). Therefore, a fuzzy logic modelling approach (see Section 2.6.3) may
be more applicable to conduct hazard identification, risk estimation and risk control option
selection based on risk management information. This is also true for cost-benefit assessment
where techniques such as cost per unit risk reduction (CURR) cannot be effectively used due
to a high level of uncertainty in the data. As such, an appropriate solution may be a fuzzy logic
modelling approach with the combination of expert judgements. Also, software safety analysis
is another area where further study is required. In recent years, advances in computer
technology have been increasingly used to fulfil control tasks to reduce human error and to
provide operators with a better working environment in floating-graving systems (Pillay and
Wang, 2002).
Based on the critical review of floating-graving docking/undocking evolution and discussion
of the experts in the area, it was found that ship repair companies often have a poor
organisational structure. This would entail documentations of accident records, systems and
components that would be difficult to come by and the availability of data for quantitative
analysis is either unavailable or far from being in the ideal format. This was the major challenge
of this research and subsequently resulted in risk assessment of docking operations under
uncertainty treatment methods such as evidential reasoning (ER), fuzzy set theory (FST) and
Bayesian network (BN).
Three types of software (Fault tree ++, Intelligent decision software (IDS) and AgenaRisk
Desktop) were adopted to overcome the challenge in application of these novel methods. In
summary, this PhD research develops a novel subjective risk assessment methodology for
floating-graving docking/undocking evolution problems based on the safety principles of FSA.
This research provides insight as to the relative merits between the use of judgement (degrees
of belief) and statistical analyses. It does conclude that the approaches provide equally
important information, but usually different information, which can be applied in different parts
of risk analysis.
2.10 Discussions and Conclusion
The floating-graving docking systems are connected with ship repairing and ship conversion.
This includes the consideration of all accidental or intentional dangerous effects coming from
63
the environment or humans. The operations of bringing ships out of the water for maintenance
brings a lot of hazards at the point of contact between humans and technology or humans and
the environment (Mikulik and Zadjel, 2009). Each of them, excluding natural disasters, can be
caused by accidents or intentional human actions. Such hazards can lead to physical destruction
of the floating-graving system or even collapse. In the face of such hazards appearing,
particularly during docking and undocking evolution, suitable strategies of reaction ought to
be taken into consideration. A functional system of the floating-graving docking system, made
of various hardware, is able to take advantage of the FSA method and, as a consequence, reduce
such danger (Mikulik and Zadjel, 2009).
In this research, the FSA method adaptation for risk control in floating-graving docking
operations is investigated. Research on the application of FSA to prevent hazards or failures in
these systems is rare. So far, the safety assessment approach for risk analysis in certain
identified hazards in floating-graving dock operations has arrived at some conclusions.
Nonetheless, the key element for reaching adequate results is gaining suitable data. Often,
intelligent building domain data are collected as a linguistic variable. Then they are processed
into numerical data with some errors. But even if data are hard to obtain and vary a lot with
time, the FSA method based on fuzzy set theory, Bayesian network, and evidential reasoning
helps to get an acceptable outcome, has great tolerance and is insensitive to errors made in
swapping linguistic into numerical data, which is the biggest problem in such domains of
research (Mikulik and Zadjel, 2009).
The FSA philosophy has also been approved by the IMO for reviewing the current safety and
environmental protection regulations and studying any new element proposal by the IMO; and
justifying and demonstrating a new element proposal to the IMO by an individual organisation
(Pillay and Wang, 2002). Concerns regarding the use of FSA in floating-graving docking
evolution are enormous. FSA may be a tool to support development of rational regulations, and
enable focusing on important issues and justify modifications (Bai, 2002). Although many
elements of the approach described in previous sections are well established in other contexts,
their applications to the ship repairing industry in a generic or specific way are relatively new
and unproven. Trial applications are being encouraged to be undertaken, with the intention of
accumulating relevant results and experience.
The development of suitable mechanisms and procedures in which the FSA process can be
applied by the IMO committees in future decisions can be considered in the dry docking
64
industry. Useful risk estimation data include: incident statistics, equipment reliability,
structural reliability, human reliability and docking (exposure) data. The cost data relate to the
estimation of investment costs, operating costs, inspection and maintenance costs, and the cost
for clean-up, pollution, etc. In many cases, data are insufficient to conduct an appropriate
estimation of risk (Bai, 2003). As with all risk assessments, the results obtained are dependent
on data and also on judgement in interpreting the data and anticipating industry trends, the
impact of changes in technology, the potential for future accidents, etc. The results of an FSA
study are therefore dependent upon both the availability of relevant data and qualified analysts
who can undertake rational judgements. The quality of a FSA is as good as the data provided,
expertise used and mathematical models applied. There are many challenges in collecting and
interpreting risk data in floating-graving docking operations. In many cases, it is found that the
data have not been recorded or not in the way that enables FSA.
Mathematical modelling and computer simulations may be the alternatives to the data. An
expert’s opinion may be a necessary substitute for or complement to statistical data. For those
in the ship repairing industry, this research can be considered a starting point of a new method
for enhancing or controlling the quality of the shipboard-floating-graving environment by
minimising or avoiding reviewed problems using scientific assessment approaches. The
platform provided in this research consists of four chapters. They are namely, a fault tree-
formal safety assessment in the ship repairing industry, fault-tree-Bayesian network for dry
dock gate failure, fuzzy rule base with belief degree for risk estimation in docking operation,
and truncated normal distribution Bayesian network for cost-benefit analysis for ranking risk
control options in docking operations. By utilising these four core chapters, the five steps of
FSA methodology are completed. Each chapter has its own research methodology which is
subsequently demonstrated by its corresponding case study. Although there have been recent
concerns on the subjectivity of FSA based on incomplete information, it is important to
improve efforts to find specialists with long experience and good background in relevant case
studies and to train these experts in expressing judgements in probabilistic terms.
65
Chapter 3 – Fault Tree – Formal Safety Assessment in Docking Operation
Summary
Fault tree-Formal Safety Assessment (FT-FSA) is the premier scientific method that is
currently being used for the analysis of maritime safety and for formulation of related
regulatory policy. To apply FSA in this Chapter, all five steps are considered and critical
information highlighted in each step as reviewed in the literature. A novel 15 steps approach
of FT-FSA is introduced in the systematic accident scenario considered in this study as
emergent phenomena from variability and interactions in shipyard (considered as a complex
system). The results of this Chapter will be useful for guidelines and regulatory reforms in the
ship repair industry as demonstrated by identifying ‘fall from height in ship repair
occupational hazards’ for recommendation in decision making.
3.1 Introduction
In the maritime industry, questions must be asked. Why should the industry have to wait for an
accident to occur in order to modify existing rules or propose new ones? The safety culture of
anticipating hazards rather than waiting for accidents to reveal them has been used in industries
such as nuclear and the aerospace industry (Kontovas and Psaraftis, 2009).
The international shipping industry has begun to move from a reactive to a proactive approach
to safety through what is known as Formal Safety Assessment (FSA) (Kontovas and Psaraftis,
2009). FSA is a formal, structured and systematic methodology, aimed at enhancing maritime
safety, including the protection of life, property, and marine environment, by using risk and
cost-benefit assessments (Maistralis, 2007).
The use of FSA is consistent with, and should provide support to any decision making body
(Maistralis, 2007). Based on Wang and Trbojevic (2007) it is a new approach to marine safety
which involves using the techniques of risk and cost-benefit assessments to assist in the
decision making process. First introduced by the IMO as a rational and systematic process for
assessing the risk related to maritime safety and the protection of the marine environment and
for evaluating the costs and benefits of IMO’s options for reducing risks as reference in
Maritime Security Committee (MSC cir. 1023, MEPC circ. 392, 1993) it has been seconded to
none so far. Before its adoption by IMO, FSA has been an object of research leading to several
academic papers written by Wang (2001), Soares and Teixeira (2001), & Rosqvist and
66
Tuominen (2004). The relevance of the methodology of FSA over the span of ten (10) years,
has been proven in marine and offshore products such as fishing vessels, ports, marine
transportation, offshore support vessels, containerships, LNG ships, ship hull vibration,
crushing ships, liner shipping, high speed crafts, oil tankers, trial studies of passenger roll
on/roll off (roro) vessels with dangerous goods and bulk carriers (Nwaoho et al., 2011).
The Royal Institution of Naval Architects (RINA) has also published a collection of some 15
papers on the subject, covering various contexts of the problem (RINA, 2012). Fault tree (FT)
on the other hand, is an analysing tool, used in FSA. This chapter is developed from statistics
and preparatory work (Baris, 2012), on shipyard fatalities from, USA, UK, Turkey, and
Singapore. Reports on a critical review of FSA by Kontovas and Psaraftis (2009), guided in
highlighting the shortcomings of steps in FSA.
The aim of this Chapter is to show that FT-FSA methodology of safety-relevant scenarios in
occupational accidents in shipyard can be analysed. Our exemplary application is a ‘Fall from
Height’ scenario, which deals with concurrently interacting human operations and technical
systems. In particular, the assessment considers the risk of falling from height due to scaffold
failure. The systematic risk assessment approach portrayed in this Chapter intends to be an
effective means of providing feedbacks to both contractors and designers in shipyards. The
findings and conclusions are of interest to ship repair owners, maritime researchers, and other
safety policy and regulator makers in dry docks.
Specifically, the audience for this Chapter is obviously ship repair managers, where FSA as a
subject of non-trivial complexity tool, serves to provide a vehicle to explain how resources can
be efficiently managed in the system, through identifying, analysing, and proposing
improvements on specific critical systems. This Chapter is organised as follows: Section 3.2
presents the statement of problem. Section 3.3 functional components of FSA in dry docking.
Section 3.4 is the accident data analysis. Section 3.5 presents an illustrative example, followed
by discussions.
3.2 Statement of Problem
In dry docks, occupational accidents are frequent. An occupational accident is defined as an
unexpected and unintended incidence while occupied in an economic activity, which results in
one or more workers getting injured or loss of life (Baris, 2012). Every fifteen seconds, a
worker dies as a result of occupational accidents or work related diseases. 160 workers have
67
an occupational accident statistically every fifteen seconds. Over 2.3 million deaths per year
and more than 336 million accidents occur at work annually (ILO, 2011). In shipyards, these
occupational accidents are classified by several statistical agencies under the construction, or
repairing categories. Shipbuilding and repair is a complex business, with huge tasks performed
in parallel. Steel handling and processing production process requires great space, which must
be inspected, sorted and stored. On these steels, further activities are required, which include
blasting, priming, shaping, forming to designed shape, welding to make assemblies, panel,
fabrication, block assembly, pre-outfitting, air conditioning, electrical cable fitting, surface
preparation and coating (ILO, 2011). This has been the challenge in respect to shipbuilding and
repair system safety, standing out as being complex and uncertain.
The adoption of FT-FSA concept will be used to solve existing gaps. An existing gap within
the framework, is the unavailability of experts to carry out proactive risk based approach to
deal with accidents and eliminating its occurrence from its origin. FSA consist of five steps.
FT is a formal method used in step 1 and 2, in this study. Hollnagel (2004) categorizes these
accident models in the following three types: (a) a sequential accident model describes an
accident as a result of a sequence of events that occurred in a specific order; (b) epidemiological
accident model which describes an accident in an analogy with the spreading of diseases; (c)
systemic accident model describes the performance of a system as a whole, rather than on the
level of cause-effect mechanisms or epidemiological factors.
From a safety assessment point of view, researchers have rather failed to identify which
accident model is used. Depending on the model of accidents, different methods and result will
be obtained. FT-FSA over the past decades, has received no attention in the dry docking
industry, as the literature review indicates. The purpose of this Chapter is to introduce FT-FSA
methodology in the ship repair industry and propose ways of implementation. All steps of FSA
are considered and possible pitfalls or other deficiencies are identified, and proposals are made
to alleviate such deficiencies, with a view to achieve a more transparent and objective approach
in the ship repair industry.
FSA is time consuming, and where experts are required, opinion varies and conflicts arise.
Researchers are getting fed up with new existing subjective approaches instead of increasing
awareness of companies coming together for data collection (Kontovas, and Psaraftis, 2009).
The criticism of using MSC guidelines has been strongly submitted by Greece, yet there has
been no response on reforms (Kontovas and Psaraftis, 2009). The different types of analysis
68
provided by researchers have led to increased confusion as to which method is better to use
and in what areas. These and many other disadvantages, have led many researchers to avoid
the term ‘FSA’. Many love eye catching titles like ‘risk analysis under uncertainty’, etc., yet
using the same FSA methodology. In this regard, this Chapter, revisits the origin of MSC
guidelines in the application of FSA, in its simplest form, and brings to light short comings that
have plagued its application in recent years from adopting a direct approach in its
implementation.
This chapter provides a rather, individualistic research, based on time scheduling and critical
thinking, hence by-passing so many obstacles presented by time-wasting generic opinions from
experts. Lastly, many researchers limit its application to ships and offshore structures,
impairing creative thinking in other maritime sectors. To overcome these disadvantages, the
next section, looks closely into FT-FSA framework and its application in shipyards, and
weaknesses of each step highlighted.
3.3 Functional components of FSA in dry docking
3.3.1 System definition
FSA is built around a suite of technical analyses of a wide range of topics. Some of those topics
are listed below and then discussed in greater detail (Hu et al., 2007). Although not part of the
formal FSA structure, it is good practice to write technical and management philosophies at
the start of the FSA project. Philosophies can be written for each operational activity. A
philosophy will generally consider the following issues (Hu et al., 2007):
- The physical scope of work and boundary conditions for the project and the FSA.
- The standards, regulations and classification society to be followed. They can be
internal to the company or from an outside organization.
- The modelling techniques to be used.
- The consequence of accident on the designed model.
A detailed system description is essential to the risk assessment. Such description usually
consists of a structure, including all hardware, people, procedures and environment, being
described in a structural manner (Kontovas, and Psaraftis, 2009). The hardware that comprises
a generic shipyard is the most basic layer in the system definition. This hardware can also
include the design of the shipyard system.
69
The interface between hardware and human operators, i.e. the so-called man-machine interface,
forms the second layer. The external environment could be considered the third layer. The
overall safety is influenced by the hardware, individuals & organization, and external
environment, which may vary during the docking life cycle. Figure 3.1 shows the ship-docking
interface.
…………………………. … ……………………………….
Figure 3.1: Overview of dock
The variables require theoretical and operational constructs to be established in order to build
the model. Only the operational constructs is considered in this research. Operational
definitions specify precisely how a variable is measured in a particular study. Once the structure
of model has been established, and its performance scrutinise to be suitable for the objectives,
appropriate values can be input for the necessary variables and the resultant outputs calculated
as guided in Figure 3.2 (Taha 1971 and Checkland, 1989).
Figure 3.2: Modelling process (Taha 1971 and Checkland 1989)
Ship in dry dock
Ship undocking
Repaired or/new
ship ready to
undock
Ship approaching
dock
Open sea area
New
bu
ildin
g o
r re
pai
r
Real world
Thinking about
real-world
Identify the
problem situation
(Objectives)
Formulate root definitions
for each system in problem
definition
Define any
desirable
changes Compare model
with real life
Build conceptual model
of system identified via
the definitions
Population
reality
Sample
Assumed reality
Take action to
improve the
problem definition
70
Much floating dry dock risk models research involves the measurement of hypothetical
constructs (or theoretically constructed), e.g. management, maintenances, etc. It can be said
that these entities are hypothesised to exist on the basis of indirect evidence (Fellow and Liu,
2008). A generic floating-graving docking system may involve the following stakeholders:
crew, ship-owner, classification society, insurer, and coastal state. Various stakeholders may
have different views of the safety, as well as the cost/benefits derived from the changes of the
shipping safety. The interaction among these parties is complex, and will significantly
influence the safety of floating-graving docks. Figure 3.3 presents floating-graving dock
mother model, with basic hardware involved and Figure 3.4 is docking evolution.
Figure 3.3: Mother model
Sub-model of floating dock
for engineering analysis
Methodology and modelling Qualification model,
Quantification model, uncertainty
model
Example modelling
Block diagram of variables
tugs
………………………………………………………………………
………………………………………………
Graving dry
dock
Floating
dry dock
Workshop
Land Logistic
Weather Operation
Environmental
Regulation
Classification
Design
Fabrication
Construction Standards
Safety Management
Formal Safety Assessment
Tides Sea
Research
Boundaries Research
Boundaries
Technical Modelling
Accident
Reporting
Quality
system
Communication
71
Fig
ure
3.4
: D
ock
ing a
nd u
ndock
ing e
volu
tion
Flo
atin
g-g
rav
ing
do
ckin
g s
yst
em
72
3.3.1.1 Docking and undocking activities
Four activities are vital to maintaining and operating a dry dock safely. These are (Harren,
2012): (a) condition assessment – this assessment evaluates the physical condition of the dry
dock, review the design documentation, and performs calculations to determine the capacity of
the dry dock in its current condition; (b) maintenance – this include preventive maintenance
tasks as well as maintenance to correct deficiencies that are identified through a condition
assessment; (c) control inspection – is a comprehensive but qualitative review of dry dock
facility to evaluate the effectiveness of maintenance program; (d) docking operations - which
encompasses all tasks associated with the act of docking a vessel in a floating-graving dock.
This include but not limited to calculations to ensure the stability of the vessel and dock
throughout the evolution, proper blocking to ensure proper loading of both the vessel and dock,
and procedure requirements (Harren, 2012).
An abstract from ASCE Manuals and reports on engineering practice prepared by the dry dock
asset management task committee of the ports and harbors committee of the coasts, oceans,
ports and rivers institute of the American Society of Civil Engineers is herein presented to
describe the four activities vital for safe operation of floating-graving dock. These are the
essential elements identified to relate with the floating –graving operation model developed in
Figure 3.4. The five aspects mentioned here are: docking evolution, communication, facilities,
docking a vessel, undocking evolution, maintenance, human factors and environment.
3.3.1.2 Docking evolution
This operation is divided into five section, communication, and undocking, docking, normal
operation of facilities and emergency operations. This section is discussed as upon the model
developed in Figure 3.4 and its various branches as indicated. The reasons for the selection of
these parents’ nodes are discussed.
3.3.1.3 Communication
The communication which takes place before a ship is docked is very vital. The vessel and
shipyard have a role to play for safe communication. This communication is before docking and
during docking. Before docking the following communication is important (Harren, 2012).
Documentation and information must be well organised and communication must exist between
shipyard and owner. This report contains many documents such as the position of vessel,
shipyard plan, conditions of docking and undocking drafts and undocking displacements, the
work required, structural fabrication, modifications required, equipment changing, and work on
the propulsion system. Vessel responsibility: These are details but not limited to some
73
information required to be communicated between both ship owner and dry dock master. The
vessel information sent to the dry dock master is important to plan docking activities. These are
vessel’s docking plan, vessel’s displacement and other curves of form (Hydrostatic table),
vessel’s trim and stability booklet, vessels service requirement, and dry dock report from prior
dry docking (Harren, 2012). Dry dock master’s responsibility: Shipyard shall calculate the
bearing loads on keel and side blocks, to confirm that these loads are within the acceptable limits
of the dry docks as initially assessed. What the dry dock must have in place is a LOG BOOK.
This book contains all pertinent work regarding the docking facility during all operations. The
details of this Log book might vary depending on work intensity. Communication is two way:
owner first, detailing vessel’s information and work to be done and then shipyard second, doing
preliminary calculations to check if the dry dock has the facility and capacity for the vessel.
After this the shipyard shall submit to the ship owner a shipyard docking plan for approval
(Harren, 2012).
The shipyard docking plan: is developed with vessel outline as provided during owner-shipyard
communication (Harren, 2012) : (a) Vessel outline shall include hull openings, appendages, and
protuberances that may affect the docking; (b) Longitudinal and transverse position of the
vessel’s docking reference point or stern reference point (SRP) from a fixed reference point on
the dry dock; (c) Blocking arrangement showing the longitudinal and transverse position, as
well as spacing of the keel blocks and side blocks, from a fixed reference point on the dry dock;
(d) Pumping plans. Lastly, during operation, another form of communication is required, which
include two way radios, push to talk phones, cell phones, and/or hand signals. Vessel owner and
shipyard owner must ensure safe communication (Harren, 2012).
3.3.1.4 Facilities
This is the capability of the shipyard facility to adequately support and accommodate class and
type of ships, and have the required maintenance system in place to handle such operation. The
term, ‘dock rating’ indicates the capacity of the dry dock for any given operation in accordance
with its facilities (Harren, 2012). This is the capability of the dry dock to support the docking of
a class or type of vessel. Physical inspection of the facility is also required. Facility safety
equipment may include fire alarms location, emergency power, and emergency
ballast/dewatering pumps (Harren, 2012).
3.3.1.5 Docking vessel
After the above communication between owner and shipyard is affirmed, the vessel is ready to
be docked (Harren, 2012). There must be an approached plan that includes the geographical
location, channel features and markers, location of facilities, mooring and pier locations, and
74
dry dock location (which must be suitable for safe entrance) (Harren, 2012). The hydro-graphic
survey of the underwater depths and the approach lines of vessel to pier-side facilities and dry
dock, guide tugs with any other guide requirements must also be considered as experience
demands. Specific docking procedures are usually followed after preparation. Care is however
required at the critical stages in the docking process of settling dock on keels and closing gates.
The docking shall include (floating dry dock) (Harren, 2012): (1) Divers standing by to assist;
(2) Positioning the ship, which includes centring devices such as centring bobs and battens or
lines, and longitudinal markers such as line of sight markers to align ship’s docking at reference
point; (3) Landing ship is considered the most crucial step, positioning ship longitudinally and
transversely in dock. Drafts at landing at bow, mid, and aft shall be noted; (4) Pumping operation
to deballast dock is done, when ship has successfully landed and all line handlers are stationed;
and (5) Side blocks condition, is checked so that both transverse and longitudinal position are
acceptable (Harren, 2012). Once the ship is successfully brought into dry dock, it is important
for the ship to safely land on blocks. This is called ‘Safe Landing’ (Harren, 2012).
Safe landing of ship before and after landing must be observed. Divers are usually used to make
sure landing is properly conducted. The gangways and service lines can be installed. Lastly,
grounding cables to protect vessel from the effects of welding and electrical storms shall be
attached to the vessel (Harren, 2012). General inspection after water de-ballasting, is made to
check condition of both vessels and block. Situations of excessive crushing must be corrected
by refloating, and this process can continue for a long time, and is sometimes frustrating, if
events persist (Harren, 2012).
3.3.1.6 Undocking evolution
After work is done, vessel must be undocked. Calculations are done, and assessment conditions
shall include liquid loads, cargo, and work items required to be loaded or unloaded prior to
undocking. General vessel specification must be followed. These are, float off draft and vessel
ballasted & trim minimised. After observing the float off draft and trim, the following is required
before floating ship: (a) Be ballasted to match vessel’s trim. This condition shall be shall be
used to determine the block load and generate the dock’s pumping plan for undocking; (b)
Phases of undocking must be followed certain standards by (NAVSEA, 1996); (c) The dry dock
master is required to undertake sounding, itemized list of weights aboard the vessel (i.e. crew,
stores, cargo, and ammunition), work items (i.e. contractual work carried out), undocking
calculations (vessel draft instability and block loads), and a pumping plan; (d) Undocking
conferences are usually done to clarify the undocking particulars. These conferences sets out
some important checklists. Undocking in floating dock, is called submerging the dock from semi
to full submergence (Harren, 2012).
75
3.3.1.7 Human factor
Humans play an important role in shipyard. The manning of the humans and working hours is
very important. Stationing on various positions to dock and undock vessel is vital. Also, they
carry out all the necessary work on the vessel once the vessel is docked. Working in awkward
position, confined spaces and under hull propeller work area is done by humans. Manning the
ship in and out of dock is done by captain/pilot and chief engineer’s crews. The qualification,
experience, training and management of workers are important. Management shall include roles
such as recording all training in log books, as improvement on personnel experience is carried
out every year. Considering the operation, communication, maintenance and other roles human
play in the system, there is an increased tendency towards fatigue, inexperience, and/or
overconfidence on specific tasks if not properly supervised or organised (NAVSEA, 1996).
3.3.1.8 Maintenance and inspection
Control inspections and maintenance are put together for purpose of better understanding. In
certain cases, these are different. Inspection proceeds maintenance. The former is usually done
on newly designed and fabricated shipyards (Harren, 2012). Control inspection is done to
evaluate effectiveness of maintenance management. Control is periodic and is done frequently.
Structures, mechanical and electrical systems, equipment and components shall be inspected.
The inspection model is developed to inspect personnel, records and the inspection
management. This is an important department in regards to safe operation (NAVSEA, 1996). A
maintenance organisation adopts different structures depending on decisions by owners. This
organisation can be run by internal management or made use of engineering organisation with
expertise on designing and maintaining waterfront or marine type facilities. Other functions that
may be incorporated, include, organisation planning and computerised maintenance
management system. Auditing operations are usually conducted for efficacy of maintenance
program. Conditioning assessment is another aspect that is adopted by maintenance
organisation.
3.3.1.9 Environment
The geographical location and mud deposition are important considerations for design, selection
and operation of dock. An area with increased mud deposition would require increased dredging,
hence affecting the cost of the operation. Other aspects here include, wave, wind, hurricane,
earthquake, rising tides and weather predictability (NAVSEA, 1996). The environment is
initially carefully considered before any work is done. Counter natural disasters can then
developed depending on environment. Certain regions were selected for shipyard design without
environmental considerations (Harren, 2012).
76
3.3.2 Hazard identification
In the FSA regime, a hazard is broadly defined as a situation in floating-graving docking
evolution with the potential to cause harm to human life, the environment and property.
Hazards become a problem when they develop into accidents; generally this occurs through a
sequence of events. Once characteristic of these hazards is that, at different phases of the
operation, the floating-graving system could experience different kinds of hazards. Hazard
identification is performed by selected professionals and/or literature review and the purpose
of hazard identification is to identify all conceivable and relevant hazards.
Typically a team of 6-to-10 experts, including naval architects, structural engineers, machinery
engineers, dry dock master, marine engineering surveyors and meeting moderator, provide the
necessary expertise. The hazards are identified using historical incident databases and expertise
of the team. The identified scenarios are ranked by their risk levels, and prioritizing hazards
are given a focus and may be subjected to more detailed analysis. For a generic floating-graving
system and its associated sub-systems just described, the following important hazard categories
are identified: (a) collision and grounding, (b) landing errors, (c) extreme environmental
conditions, (d) loading errors, (e) loss of structural integrity, (f) contact event, (g) fire, (h) fall
from height, etc.
3.3.2.1 Gate collapse
Typical accidents may include collapse of dock walls due to static lateral soil pressure and
dynamic earthquake loads. A recent accident involving caisson gate failure on 27 March 2002,
at Dubai Dock No 2, one of the world’s largest ship repair facilities, caused uncontrolled
flooding of the dock (Harren, 2012) leaving 21 people dead. Again, if the dry dock is not
founded on deep foundations, such as piles, then a net uplift would result, causing the dry dock
to float and tilt.
3.3.2.2 Failure of pontoon deck-structural failure
Structural failures of floating dry dock pontoons due to excessive transverse bending stresses
were thought to be relatively rare occurrences. Accidents reported were due to steel plate panels
that have their axis parallel to the longitudinal axis of the dock and perpendicular to the line of
transverse compressive stress in the plate when docking a ship (Heger, 2003). These accidents
usually occur while the dock is being ballasted in a manner that unknowingly magnifies the
77
compressive stress in the pontoon deck plates to point which exceeded their buckling strength
(Heger, 2003).
3.3.2.3 Stability failure
In considering the capability of a facility to dry dock a ship, many factors affect the safety of
the dry docking operation. To determine the lifting capacity of a floating dry dock, the
following limits are considered: physical characteristics, structural limits, and buoyancy and
stability limits (Wasalaski, 1982). MIL-STD-1625D was prepared as a guide for certifying
floating dry docks to establish the maximum size each dry dock can safely dock. In reviewing
MIL-STD-1625D, there are two major parts to ‘the design limits and a review of the operation
of floating dry docks as related to ‘lifting capacity’. The dangers of avoiding a low value of
GM during docking generated list at a critical instant in the Vigor accident where stability
failure lead to collapse of floating dock. Such a circumstance whereby the dry dock sinks and
a tug capsizes is considered as highly undesirable and raises some concerns in the industry.
Another stability concern in the Vigor accident was an incorrect stability calculation for the
ship (GCaptain, 2013).
3.3.2.4 Docking block failure
The positioning and stiffness allocation are important to docking blocks. These are important
decision when docking a ship because mis-positioning or mis-allocation of docking bocks may
give risk to unreasonably large block reactions and consequently serious damage to both the
docked ship and blocks (Cheng et al., 2004). Docking failure may also cause the disruption of
docking schedules and extension of the ship downtime. Any failure may even lead to the loss
of lives (Cheng et al., 2004).
3.3.2.5 Grounding
A ship may run aground either due to human errors in navigation, due to obstacles not recorded
on charts, or due to the failure of the ship’s control systems (Tupper, 2013). Accordingly, the
designer must legislate for all these eventualities. Docking vessels operations are carried out
under predictable conditions and are carefully planned. The naval architect produces the ship
data together with details of the actual loading condition of the ship at the time. Grounding is
unpredictable. It involves a more variable set of circumstances including the point of grounding
(along the length and transversely), the nature of the sea bed, the prevailing weather and tide
conditions and the actions of the crew. All influence what happens to the ship in terms of
78
structural damage and flooding (Tupper, 2013). In a studies period 1990 – 2007, one grounding
event occurred when a ship was under repair due to bad weather conditions, the mooring broke
and the ship drifted and was stranded. No injuries or fatalities were registered, and no oil spilled
during docking an oil tanker (SSC, 2002).
3.3.2.6 Dry dock wall failure
Failure of dry dock walls may be caused by the combination of the static lateral soil pressure
and the dynamic earthquake loads. In general, there are two types of wall failure modes. During
the earthquake, due to repetitious dynamic loading, the pore pressure of the soil behind the wall
may increase to nearly the total pressure, thus effective stress and shear strength of the soil will
approach zero and soil liquefaction may occur (Wu et al., 1990). If the dry dock is not founded
on deep foundations, such as piles, then a net uplift would result, causing the dry dock to float
and tilt. This type of failure is however, not likely to occur for a graving dry dock (Wu et al.,
1984).
3.3.2.7 Contact events
In a studies period 1990 – 2007 (SSC, 2002), three cases of contact events happened when
trying to dock an oil tanker. In one case, a ship was in dry dock when the dry-dock gate was
struck by a tsunami (bad weather conditions). In the other two cases, the ship was under
manoeuvring to enter the dry dock with pilot on-board. No injuries or fatalities were registered.
3.3.2.8 Fire events
In a studies period 1990 – 2007 (SSC, 2002), Eighteen (18) fire events happened when trying
to dock an oil tanker for repairs. In 8 cases out of 18 fires events, there was a significant number
of injuries and fatalities. In 4 cases out of 8, there was a clear statement that the fire started due
to ‘hot-works’.
3.3.3 Steps of FSA in dry docking operation
The modern risk assessment techniques have been applied to the nuclear and offshore industry
successfully, but the first proposal to apply the modern risk assessment techniques to the
shipping industry was put forward by the UK delegation in 1993 to the Maritime Safety
Committee of the IMO (Lee, 1997). In doing so, a lot of concerns were focused on the proactive
philosophy of FSA which is expected to provide a means of enabling potential hazards to be
considered before a serious accident occurs. The Formal safety assessment that has been
79
proposed by the UK MCA consists of five steps which are: hazard identification, risk
estimation, risk control options, cost benefits assessment, and recommendation.
3.3.3.1 Problem definition and generic model
The purpose of problem definition is to carefully define the problem under analysis in relation
to the regulations under review or to be developed. The definition of the problem should be
consistent with operational experience and current requirements by taking into account all
relevant aspects (MSC 2002). In general, the problem under consideration should be
characterized by a number of functions. Where the problem related for instance to a ship type,
these functions include carriage of payload, communication, emergency response,
manoeuvrability etc. Alternatively, when the problem relates to a hazard, for instance fire, the
functions include prevention, detection, alarm, containment etc. (Tzifas, 1997). The generic
model is not viewed as an individual model but as a collection of systems, including
organisational, management, operational, human, and electronic and hardware aspects which
fulfil the defined functions (Wang, 2007). The functions and the systems should be broken
down to an appropriate level of detail. The results from this study should include (MSC 2002:
Maistralis, 2007): (1) Problem definition and setting of boundaries and; (2) Development of
generic model.
3.3.3.2 Step 1: Hazard identification
The purpose of this first step is to identify as many hazards, specific to the generic model or
problem definition in question, and to generate a prioritized list of accidents introduced by
those hazards. This step identifies and generates a selected list of hazards specific to the
problem under review (Wang, 2007). Hazards may or may not have already been realised as
accidents. With the passage of time, changing technology, and the influence of human factors,
new hazards will arise and existing hazards may materialise into accidental events not
previously experienced (Peachey, 1995). The objective of this step is to describe what the
activity is, and identify what can go wrong. The overall objective of this step is outlined in
Figure 3.5. Hazard identification methodology is concerned with using the ‘brainstorming’
techniques involving trained and experienced personnel to determine the hazards (Wang,
2007).
Lee (1997) explains much of the work is constructed by the activities of HAZID meeting. MSC
committee (2002) looks at the method to implement hazard identification by getting a
80
compromise of a combination of both creative and analytical techniques. The creative element
is to ensure that the process is proactive and not confined only to hazards that have materialized
in the past. Various scientific safety assessment approaches exist in hazard identification. They
include (MSC, 2002; Mistrials, 2007): Preliminary Hazard Analysis, Failure Mode, Effects and
Criticality Analysis, and Hazard and Operability (HAZOP) study. The results from this step
involve a list of hazards and associated risk levels.
Figure 3.5: Flow chart for hazard identification
The objective of this step is to identify all potential hazardous scenarios in shipyards that could
lead to significant consequences and to prioritise them by risk level. The first objective requires
a creative part (mainly brain storming) to ensure that the process is proactive and not only
confined to hazards that have materialised in the past. In simple FSA studies, historical data
can be used, although its disadvantages are highlighted by Davanney (2008) where he states,
‘caution is required in identifying casualty database and to correctly identify accident causes.’
His view is shared by Kontovas and Psaraftis (2009), who carried out a research on critically
analysing the pitfalls and deficiencies in application of FSA in maritime research. They
strongly recommended, probabilistic modelling of failures and development of scenarios as an
alternative in IMO FSA guidelines, by using formal methods, such as fault trees, event trees,
influence diagrams, human reliability analysis, human element analysing process, and possibly
others.
The second objective is to rank hazards and to discard scenarios judged to be of minor
significance. Ranking is done using available data and modelling supported by expert
judgement. A group of experts in dry docks rank risks associated with accident scenarios and
a ranked risk is developed starting from the most severe. This is done, using the MSC guidelines
Purpose Methods
Brainstorming
HAZID meeting
Scientific Safety Assessment
Techniques;
FTA, PHA, FMECA, HAZOP
What can go wrong?
1. List of hazards
2. Causes and
Effects
Hazard Identification
Outcome
Definition
Purpose
81
risk matrix. Estimation of risk related to a hazard identified in Step 1 begins with estimation of
frequency (F) from following fractions: F = No of Casualties/shipyard years, consequence
potential, called Potential Loss of Life (PLL) according to FSA guidelines is: PLL = No of
Fatalities/shipyard years. Risk = Probability x consequence. Log (Risk) = (Probability) + Log
(Consequence). Combining both indices, a third index, the Risk Index or risk ranking number
is achieved:
Risk Index= Frequency Index + Severity Index (3.1)
Equivalent total is to integrate risk index. It makes use of the fact that both the frequency and
severity banks of the risk matrix are approximated logarithmically. Table 3.1 presents the
frequency rate and severity value in shipyard and Table 3.2 is shipyard severity value.
Table 3.1: Shipyard frequency and severity rate Table 3.2: Shipyard severity value
Frequency rate
Likely to happen in shipyard
General
Interpretation
F4: 1-12 months Frequent
F2: 2-3 years Likely to occur
F2: 5-10 years Remote
F1: Over 10 years Unlike to occur
This risk matrix is 3x3 as opposed to 3x7 matrix proposed by MSC, due to nature of ship repair
industry. A criticism of this method (risk matrix) as a standalone, gives no distinction among
hazards that have more than 10 fatalities. Again, in this risk matrix, constructed for all
combinations of the frequency and severity indices equations, the probability is equated to
frequency, in comparing scenarios in terms of risk, some scenarios stand a chance to be ranked
lower or higher than required.
Though, risk matrices are not used for decision making however, they constitute a simple yet
most important tool that is provided to a group of experts in the hazard identification step to
rank hazards. These matrices are simple to use, but the above disadvantage, are not ignored in
this chapter. In cases where a group of experts are asked to rank objects according to one
attribute using natural numbers, multi grouping is required. A multinational group of experts
is not rare in FSA studies. A number of 10 experts is reasonable for such groups demonstrated
in concordance coefficient W in equation 3.2:
W = 12 ∑ [ ∑ xij-1
2J(I+1)]
j=J
j=1 ^I=ii=1 2 (3.2)
J2 (I3-I)
Severity Value
General interpretation in shipyard
S1 Minor injury S2 Major S3 Fatality
82
The coefficient W varies from 0 to 1. W= 0 indicates that there is no agreement between the
experts. On the other hand, W= 1 means that all experts rank scenarios equally by the given
attribute. This equation, can be found in MSC guidelines for detailed study, but has hardly been
used in any of its application in maritime research.
Table 3.3: Shipyard risk matrix
S/F F1 F2 F3 F4
S1 1 2 3 4
S2 2 3 4 5
S3 3 4 5 6
3.3.3.3 Step 2: Risk analysis
Once hazards have been identified, the risk associated with the realisation of those hazards can
be evaluated, so as to ascertain whether those risks are significant (Peachey, 1995). The
assessment of risk involves studying how hazardous events or states develop and interact to
cause an accident (Wang, 2007). Figure 3.6 presents a risk assessment flow chart.
Figure 3.6: Risk assessment flow chart
3.3.3.4 Step 3: Risk control option
The purpose of this step is proposing effective and practical RCOs comprising the following
four principal stages (MSC, 2002: Maistralis, 2007): (1) focusing on risk areas needing control;
(2) identifying potential risk control measures (RCMs); (3) evaluating the effectiveness of the
RCMs in reducing risk by evaluating step 2 and; (4) grouping the RCMs into practical
regulatory options.
Structural review techniques are typically used to identify new risk control measures for risks
that are not sufficiently controlled by existing measures. Many risks will be the result of
complex chains of events and a diversity of causes. Risk control measures should be aimed at
QUALITATIVE ANALYSIS, Fault tree
and event tree and Risk contribution tree QUANTITATIVE ANALYSIS-Accident
and failure data are used here.
OUTCOME: identify high risk areas
RISK ASSESSMENT: Estimates risk and factors influencing
level of safety
Risk analysis
83
(Sekumizu, 1995): (1) reduction of the frequency of failures; (2) mitigation of the effect of
failure; (3) alleviation of circumstances where failures may occur; (4) mitigation of the
consequences of accidents. The prime purpose of assigning attributes is to facilitate a structured
thought process to understand how an RCM works, how it is applied and how it would operate.
Attributes can also be considered to provide guidance on the different types of risk control that
could be applied. The results required to be obtained in this step include (MSC, 2002:
Maistralis, 2007): (1) a range of RCOs which are assessed for their effectiveness in reducing
risk and; (2) a list of interested entities affected by the identified RCOs. Figure 3.7 is the
application of RCO and outcome in dry docking operation.
Figure 3.7: Application of RCO and outcome
3.3.3.5 Step 4: Cost benefit assessment
This step is aimed at identifying and quantifying the cost to be paid and benefit to be expected
when each RCO developed in step 2 is implemented (Lee, 1999). Each RCO is evaluated in
terms of implementation cost and then by deriving its associated cost per unit reduction in risk
(CURR). The cost benefit assessment may consist of the following (MSC, 2002): (1) Consider
the risks assessed in step 2; (3) arrange the RCOs, defined in step 3 in a way to facilitate
understanding of the costs and benefits resulting from the adoption of an RCO; (4) Estimate
the pertinent costs and benefits for all RCOs; (5) estimate and compare the cost effectiveness
of each option, in terms of the cost per unit reduction by dividing the net-cost by the risk
1. General approach
2. Distributed approach
1. Risk attributes
2. Casual chains
1. Accidents with
unacceptable risk
2. Probability
3. Severity
4. confidence
PURPOSE OF RCO
High Risk Areas Identify
RCMS
Evaluate
RCMS Composition of
RCOs
1. A range of RCOs assessed for reducing risk
2. List of entities affected by identified RCOs Outcome
84
reduction achieved as a result of implementing option; (6) rank the RCOs from cost-benefits
perspective in order to facilitate the decision-making recommendation in step 5. In general, the
cost component consists of the one-time (initial) and running cost of an RCO, cumulating over
the lifetime of the system. The benefit part is much more intricate. It can be a reduction in
fatalities or a benefit to the environment, or an economic benefit for preventing a loss of a
shipyard (Kontovas and Psaraftis, 2009). It is calculated using eqn. 3.3:
CAF = CURR = ∑ (b-c)
[1+i]
[1+r] ^ t
1
nt=0 (3.3)
Where b and c, are benefit and cost respectively, r is the discount rate of 4%, t is the measure
of time horizon from 0 to n years, and i, is the inflation or wage increase. Each RCO is evaluated
in terms of implementation cost and then by deriving its associated cost per unit reduction in
risk (CURR). However an extensively used index in FSA is the so called Cost of Averting a
Fatality (CAF) and can be expressed in two forms:
Gross Cost of Averting a Fatality (GCAF) =Δ𝐶
Δ𝑅 (3.4)
Net Cost of Averting a Fatality (NCAF) = Δ𝐶−∆𝐵
Δ𝑅 (3.5)
Where, ∆C is the cost per shipyard of the RCO under consideration, ∆B is the economic benefit
per ship resulting from the implementation of the RCO, ∆R, the risk reduction per shipyard, in
terms of the number of fatalities averted, implied by RCO. Cost-benefit analysis provides a
consistent framework for option appraisal. This is achieved by attempting to quantify and
where possible value, the costs and benefits associated with the various alternatives and to
estimate the present value of their net benefits (Spiro, 1995). The results obtained from step 4
include (Maistralis, 2007): (1) cost and benefits for each RCO defined in step 3; (2) cost and
benefit for interested entities and; (3) cost effectiveness expressed in terms of suitable indices
as expressed in equation 3.4 and 3.5. Cost benefit analysis is the last step for any
recommendation for decision making.
3.3.3.6 Step 5: Recommendation for Decision Making
Recommendations presented should be to the relevant decision makers in an auditable and
traceable manner. These recommendations are based upon the comparison and ranking of all
hazards and their underlying causes. The foregoing analysis provides a sound basis upon which
decisions about safety improvement can be made. The systematic nature of the method not only
85
ensures audit-ability and gives confidence in the results, but facilitates decision making
(Peachey, 1995).
3.4 Accident Data Collection and Analysis
This chapter presents data collected from accidents which occurred in the shipyard industry
over the years. The results obtained, are analysed to determine which accidents occurs
frequently and their severity rate is noted. More attention is paid to fatal, nonfatal, and
workplace injuries in the shipbuilding and repair industries. Occupational diseases in the
shipbuilding and repair industry are not taken into account in this study.
The data presented, dates from 1990-2012 and are compiled from the following sources: (a)
Occupational Safety and Health Division (OSHD) of the Ministry of Manpower (MOM), based
on incidents reported under the Workplace Safety and Health (Incident Reporting) Regulations
since its inception in March 2006; (b) Occupational and Health Safety (OSHA) USA, in
collaboration with the Bureau of Statistics of Labour (BSL) USA and; (c) The Health and
Safety Executive UK. Working in shipyards is seen as one of the riskiest occupations in United
States as BSL records shows from 1990 to 2012.
Shipyard employees are at risk due to the nature of their work, which includes a wide variety
of industrial operations, such as steel fabrication, welding, abrasive blasting, burning, electrical
work, pipefitting, rigging and coating applications (OSHA, 2008). The occupational accidents
are followed by costs; namely, injury, fatality, material and/or environmental damages.
Common causes of occupational accidents are high elevation, toxic, flammable and explosive
materials, fire, moving machinery, dangerous gases, work on/close to haphazard established
heavy structures, misuse or failure of equipment, poor ergonomics, untidiness, poor
illumination, exposure to general hazards including electricity, and inadequate protective
clothing. Fatality rate refers to the number of occupational fatal accidents per 100,000 workers.
The fatality rate in the Turkish shipbuilding industry has been compared with all other industry
groups in Turkey, and it has been found unacceptably high (Baris, 2012). Questionnaires from
Baris (2012) shows that workers do not want to control the risk themselves, they want someone
to check them. The workers want to be guided and supervised.
86
3.4.1 Data from Health and Safety Executive (HSE) UK
Reports from HSE UK shows that the injury rate in the shipbuilding and repair industry is
double as compared to manufacturing industry, plus the three most prominent accidents in UK
shipyards include, slip/trip, fall from height, and handling/lifting equipment injuries. Injury
rates in shipbuilding and repair are comparably higher than the manufacturing industry. From
the years 1997 to 2001, the injury rate doubled for shipbuilding and repair industry, compared
to manufacturing industry in Table 3.4. This result gives a case to investigate the safety regime
in shipbuilding and repair industry.
Table 3.4: Injury rate in UK SSR
Year Shipbuilding/ Repair Manufacturing
1996/97 1459.8 1210.5
1997/98 2193.2 1243.5
1998/99 2368.9 1213.0
1999/00 2603.8 1213.0
2000/01 2330.6 1194.1
HSE accident statistics for shipbuilding and ship repair (SSR) industry for the years 1999-2002
are summarised and presented in Table 3.5. The full detail is found in Appendix 3. It was not
possible to differentiate between shipbuilding and repairing. Three kinds of accidents reported
include: (a) Handling/lifting/carrying; (b) Slip/trip on the same level; and hit by an object. 65%
of handling injuries are associated with the 3 main causes are; sprains/strains from body
movement whether or not a load is involved-27%; injured through cuts from sharp/coarse
material or equipment or from trapped fingers-21%; lifting or putting down loads-17%; 31%
of slips/trips on the same level are associated with an obstruction .
Table 3.5: UK SSR incident statistics for period 1999-2002
KIND FATAL MAJOR 3 DAY TOTAL
00 01 02 00 01 02 00 01 02 00 01 02
Machinery 0 0 0 6 3 5 18 13 10 24 16 15
Hit by object 0 0 0 23 32 15 114 99 77 137 131 92
Slip/trip 0 0 0 26 27 34 140 108 96 166 135 130
Fall 1 0 0 30 27 22 62 62 22 93 89 44
Exposure 0 0 0 3 1 1 19 16 7 22 17 8
Down
asphyxiation
0 0 0 0 2 0 1 1 0 1 3 0
Handling 0 0 0 7 9 9 166 120 144 173 129 153
87
This statistic was taken to concentrate on prevention of the 3 most reported kinds of accident
but particularly on their causes. This would therefore enable the industry to make its
contribution to the Government’s target in Revitalising Health and Safety issues in shipbuilding
and repair industry by the year 2010 ( HSE, 2006).
3.4.2 Data from bureau of labour statistics USA
Reports from USA shipyard accidents show that most of the accidents are due to fall from
height, contact with electric current and caught in between equipment. The main agents that
lead to these accidents are not clearly stated in this report, due to lack of data. In Table 3.6,
falls (both low and high) resulted in the death of a number of shipyard employees. According
to BLS data for 2002-2010, almost one-quarter of shipyard fatalities were associated with falls
(both high and low fall). BLS CFOI data showed that at least 12 shipyard fatalities (6.7%)
resulted from contact with electrical current and 37 fatalities (22%) occurred because of contact
with objects.
Table 3.6: US Census for fatal occupational injuries from 2002-2010
BLS injury data showed that an even greater percentage of injuries were associated with new
types of accidents. A detailed table showing the US Census for Fatal Occupational Injuries in
shipyard industry registered between the years 2002 to 2010 shows the secondary nature of
accidents, the injuries and part of the body affected by workers in SSR. Carelessness of the
workers, insufficient safety training and education, unawareness of costs of accidents,
erroneous series of human operations, and inadequate work site environment remain the key
risk factors for occupational accidents (Baris, 2012).
Characteristics All
industry
Shipbuilding and repairing
2002 2003 2004 2005 2006 2007 2008 2009 2010 Total
Total 5,920 11 18 15 10 15 15 25 23 11
Contact with
objects and
equipment
1,006 5 4 3 7 3 8 3 2 37
Struck by object 571 1 3 3 3 2 4 2 18
Falls 734 1 3 3 4 3 4 6 9 7 40
Fall to lower 659 3 4 6 8 4 25
Fall from scaffold, staging
85 1 1 3 4 9
Transportation
accident
2,573 2 5 3 3 2 4 19
Fires and explosions
177 1 1 2 3
Contact with
electric current
256 4 1 1 3 3 12
88
3.4.3 Census of fatal occupational injuries in SSR USA (2010-2013)
In Table 3.7 the four most prominent accidents registered in shipyard in USA are drowning,
exposure to harmful substance, multiple traumatic injuries, and hit by vehicle. All these
accidents are registered in the year 2010. There exist an excellent record in slip/trip and fall
from height from this statistic. No accidents were registered between the years 2010 and 2013.
Nevertheless, the number of fatalities registered during this period was 30. From 2010 to July
2013, shipyard activities resulted in the death of 40 workers. The highest rates of accidents
were found among welders, blasters, painters and substructure workers.
Table 3.7: Census of fatal occupational injuries, 2010-2013
Characteristics All industry Shipbuilding and repairing
2010 2011 2012 2013 Total
Total 7,630 5 5 7 10 27
Exposure to harmful substances 2,226 - - - 3 3
Drowning 623 - - - 3 3
Falls 934 - - - - -
Other traumatic injuries 1343 - - - 4 4
Vehicles 2112
Contact with object 39 - - 3 - 3
Slip/trip - - - - - -
3.4.4 Data collected from occupational safety and health division, Singapore
Data collected from OSHD Singapore, shows Accident Frequency Rate (AFR) in the shipyard
industry remains high, at a rate of 1.3 per million man hours worked. Most accidents are due
to fall from height from scaffold as detailed statistics are provided. Other accidents recorded
include; caught in between objects and hit by a falling object. In the shipbuilding and repair
industry the Accident Frequency Rate (AFR) which measures how often workplace accidents
take place dropped from 2.2 in 2012 to 1.3 in 2013 as seen in Table 3.8. The Accident Severity
Rate (ASR) dropped from 257 per million man-hours worked to 180 in Table 3.8. This result
shows how much effort has been put in place to reduce accidents in SSR during these years,
but the measures in place are not good enough.
Table 3.8: Accident severity rate 2012 and 2013
Per million man-hours worked
2012 2013 All sectors 2.3 1.6
Construction 2.3 2.5
Manufacturing (SSR excluded) 1.8 2.1
Shipbuilding and Ship repair 1.8 2.9
89
3.4.5 Workplace fatality by type of accidents
In shipbuilding and repair, struck by falling objects remained as the dominant accident type,
leading to 44%, or 4 out of 9 workplace deaths. The sector saw fatalities associated with new
accident types, namely exposure to harmful substances (i.e. smoke), drowning and struck by
moving objects in 2007 in Table 3.9.
Table 3.9: Accident by type of agent
3.4.6 Temporary disablement in shipbuilding and repair
The top five accidents types common to temporary disablements in SSR include
stepping/struck by object, caught in or between objects, falls from height, slipping and tripping
as in Table 3.9. The top five agents of accidents from all industry include metal items, floors
and level surfaces, hand tools, and transport equipment seen in Table 3.10.
Table 3.10: Accident types leading to temporary disablements in SSR
% of temporary disablements in each sector
Industry 2007 2006
Shipbuilding and ship repair
1. Stepping on/striking/stuck by object 29.6 29.1
2. Caught in or between objects 23.1 17.7
3. Struck by falling objects 12.1 12.1
4. Falls from height 12.5 10.0
5. Slipping and tripping 5.8 6.7
Type of accident Workplace fatality
Permanent Disability
Shipbuilding
2006-2007
Constructi
on
2006-2007
Shipbuilding
2006-2007
Construction
2006-2007
Total 9(10) 24(24) 35(27) 18(16)
Falls from height 1(2) 14(15)
Struck by falling object 3(4) 4(5) 5(3) 3(6)
Fires and explosions 1(0)
Drowning 1(0) 1(0)
Stepping on, striking 1(0) 0(1) 4(4) 14(7)
Exposure to harmful
substances
2(0)
Electrocution 2(0)
Exposure to heat 1(0)
Slipping and tripping
Caught in or between
objects
2(2) 1(2) 8(9) 17(11)
90
3.4.7 Accident analysis in dry docking operation
FSA is a systematic risk based methodology aimed at considering the shipyard as a whole,
including protection of life, property and the environment. However to become useful, the FSA
needs a lot of work to implement all necessary information and tools. It is evident that such an
exercise becomes effective if it is carried out on a wide and cooperative basis, with the support
of all interested parties, e.g. owners, operators, insurers, administrations, classification
societies, etc. Data interpretation is carried out with caution, as it is highly likely to find some
degree of under reporting of incidents. This would entail that, the actual number of death,
accidents and shipyard casualties would be higher than the figures presented. However the data
gathered and analysed in this chapter show that there is a real problem in shipyard safety. The
frequency of accidents and associated severity are considerably higher by maritime standards
compared to other construction and manufacturing industry.
The following results are obtained (numbers in bracket represents fatality figure): OSHAD
(Singapore) Fatality results - (a) Struck by falling object (7); (b) Caught in/or between object
(6); (c) Falls from height (8). Permanent disability results – (a) Caught in or between objects
(17); (b) Struck by falling object (9); (c) Stepping by falling objects (8). Temporary
disablements – (a) Stepping or struck by objects; (b) Caught in or between objects; (c) Struck
by falling objects; (d) Falls from height; (f) Slip/trip. In OSHA (USA) Fatality results – (a) Falls
(45); (b) Contact with objects (24) and; (c) Electrical current (10). Injuries – (a) Exposure to
harmful substances and; (b) Drowning. In UK HSE Fatality – Fatality; (a) Fall. Major injuries
– (a) Slip/trip (87); (b) Fall from height (79); and (c) Hit by object (70).
3.4.7.1 Risk from Falling from Height
Risks of falling from a height can be divided into two main factors; workers unrelated and
workers related. During the shipbuilding process various structures and scaffoldings are
constructed in the shipyard. Various operations such as welding, cutting, blasting and painting
are carried out on the vessel. Wiggles and sometimes crashes occurring in haphazard
established unstable structures and scaffoldings may lead to accidents (Baris, 2012).
Framings (strength and support elements) used in the structures and scaffoldings material lack
of appropriate materials and necessary conditions, unprotected scaffoldings, use of inexpert
personnel during construction and installation phase of the scaffoldings, workers without the
91
necessary safety equipment (safety harness, helmets, gloves, etc.) increase the risk potential of
these accidents, and result in serious injury and even death. For the workers related factor,
impaired posture control is one of the main reason for falling from a height. In general, about
40% of all accidents associated with falling and slipping are because of possible confounding
effects of posture control (Moll Van Charante et al., 1991). As a result, basis for falling from
a height, slippage, loss of balance and posture control, distraction, loss of concentration,
fatigue, apathy, inappropriate working positions, work during the conversation or fighting with
someone else, scaffolding without handrails, may be considered (Baris, 2012).
3.4.7.2 Risk of Electric Shock
During welding operations, perspiration from the body becomes conductive and the occurrence
of electric shock as a result of contact with electrical current during the accidents is high. In
addition, removal and installation of electric motors and systems, electrical shock accidents
occur. Accidents caused by electric shock with high current and voltage are largely fatal (Baris,
2012).
Shipyard safety management system in the absence of disorder, depending on the cables, and
scattered areas of work of the presence of an open arc jump, electrical distribution panels to be
exposed, not made available or no earthing systems, using elements such as leakage current
relay raises the risk of electric shock accident. Simple accidents of electric shock, injury, death
appears to vary from affected states (Baris, 2012).
Size effect of electric shock accidents, exposure to voltage, current resistance against the body,
the current type (AC–DC), electrical contact with the time and depends on the path of electricity
in the body. Victims of electric shock, had a loss of consciousness, respiratory arrest, cardiac
arrest, the body burns, the effect of impinging on the victim from electrical injuries are growing
as a result of jumping and falling. The main reason for the sudden deaths due to electrical shock
is heart stroke (Baris, 2012).
3.4.7.3 Risks of Fire and/or Explosion
Shipyards frequently encountered fires caused by flammable and explosive gases. LPG, LNG,
oxygen, hydrogen, acetylene and other gases can cause these types of fires. Explosion occurs
because of a build-up of gas when there is lack of proper ventilation in closed areas (Baris,
2012). During welding operations, oxygen and acetylene hoses for welding gas incontinence
92
and improper lay up of flammable and combustible materials can cause explosion and fire. The
tanks would need to be ventilated during entry. Flammable gases cause explosion and fire
accidents if the gas-free process is skipped (Baris, 2012). The electrical fires commonly happen
during installation and repair of electrical systems. Besides, the most commonly encountered
fire accidents are gasoline fires occurring during the repair of main and auxiliary engines
(Baris, 2012).
3.4.7.4 Risks of being struck by or striking against objects
These types of accidents are sustained as a result of collision and contact made between the
body of the workers and any objects. Workers are exposed to risks with falling materials from
scaffoldings, and decks; the most fundamental reason for those type of accidents is, not wearing
helmets. During welding processes, while electricity supply burrs and slag particles bounce out
of control, it can collide with various parts of the body (Baris, 2012). Also, during oxygen and
acetylene welding and cutting operations, the cut surface is heated to excess, and contact with
the surface is dangerous. During repair of the piping, high pressure steam, or a variety of
injuries occur as a result of contact with the fluid. In similar instances, accidents occur during
blasting operations, as a result of not using protective clothing (Baris, 2012).
3.4.7.5 Risks of being caught in between objects
Ship blocks, ship plates and hatch covers can reach hundreds of tons weight of steel. Stocking
and transport of material omission and during the hatch cover assembly and repair carelessness
can lead to very serious accidents (Baris, 2012). During the transportation of heavy equipment,
workers can get jam between structures or object leading to vehicles or crane load shifting or
falling over causing crushing injuries (Baris, 2012).
The most common squeeze accidents are with hoisting crane accident risks, falling as a result
of disconnection of load bearing elements of the crane wire under the load or the crane (Baris,
2012). Proper communication between the crane operator with a pointer to the process of
removing the installed and available for crane ropes and eyebolts material due to breakage
during lifting, breaking and falling, lifting rope during break, are risks of squeeze accidents.
Section 3.4.8 provides the basic framework for the application of Fault tree-Formal Safety
Assessment (FSA) in enhancing dry docking operation. The application of FT-FSA helps to
improve the safety of docking a vessel for repair, thereby avoiding the risks of these accidents
occurring.
93
3.4.8 Steps in the application of FT-FSA in docking operation
3.4.8.1 Problem definition
The work definition in this Chapter is risk analysis in shipyard repair activities. This does not
include the operation of bringing a ship out of water for repair or launching a newly built ship.
The emphasis of these results and conclusions are on ship repairing or construction activities
already on site.
3.4.8.2 Choose goals and set constraints
The goal is to identify shipyard fatalities. Goals are to expand research casualty data base, and
accumulate results. Identify related work, and extract required information. Casualty data base
is from Turkey, UK, USA, and Singapore. An example of the constraint in this study is, work
in shipyards is carried out in normal weather conditions (e.g. good weather). Due to the large
volume of data analysed from the period of 1990-2011, comprising of more than 100 shipyards,
no generic shipyard is required to be developed.
3.4.8.3 Select risk analysis method
Expert grouping for brain-storming is by-passed in this study, due to available data and detailed
reporting on accidents for selected illustrative examples. A generic case is developed on
generic ranked hazards for detailed analysis. FTA is selected for use in Hazard identification
and detailed risk analysis.
3.4.8.4 Draw FTA for hazard identified
FTA is constructed for 15 identified hazards from data collected. This step is quite tedious, but
fault tree graphical representation makes sure nothing is missing during analysis.
3.4.8.5 Risk matrix of identified hazards
3x3 risk matrix developed in Section 3.3.3.2, is preferred in hazard identification study in
shipyards as opposed to 7x4 matrices in the MSC guidelines. Accident analysis is important at
this stage. The scenarios that can lead to every situation with potential to cause harm in dry
docking operations are analysed from accident databases, or from brainstorming meetings with
a unique goal to rank them according to consequence and severity rate.
94
3.4.8.6 Calculate equivalent total
This calculation is required in hazard identification step, so as to focus on those hazards above
number 3, as illustrated in risk matrix in Section 3.3.3.2
3.4.8.7 Hazard ranking
The top ranked hazards are identified and noted for further analysis. In the ship repair industry,
special attention however must be paid to the nature of constraints, and scopes of study defined
in Section 3.3.1.
3.4.8.8 FTA quantification process
From hazard ranking carried out, a detailed quantified FTA is carried out on identified hazards
with greatest risk. In other words, one accident might have 3 different scenarios. The greatest
risk among these scenarios should be selected for detailed analysis. In some cases, where the
equivalent total of each scenario is the same, then the quantification process highlights which
is of greater risk. Results from the five (5) top hazards are ranked, and any can be selected for
further analysis, depending on goals set in Sections 3.3.4.1 - 3.3.4.3 and time consideration.
3.4.8.9 Failure rate of top event
Engineering knowledge is acceptable here. In this study, basic events are provided with
probabilities of failure, to compute the occurrence failure rate of the system under study. A
Fault tree analysis software package (Isograph) computes the occurrence of top event, hence
by-passing time-wasting hand calculations. This software provides the basis through which the
popular ‘minimum cuts sets analysis’ can be by-passed, due to RCM and CURR analysis for
decision making.
3.4.8.10 Identify risk control option
The effectiveness of risk control options in any defined study within the scope of research in
shipyard, are based on risk analysis. Questionnaires and literatures are reviewed on existing
regulations or operation design to reduce specific risks in the area of study. All possible risk
control options identified for each potential hazard are categorised with the aim to ease the
grouping process.
95
3.4.8.11 Group risk options to risk measures
Grouping allows for risk control measures (RCM) to be applied appropriately. The detail
application of this step is presented in Section 3.3.3.4. This step is vital for risk control measure
analysis.
3.4.8.12 Risk control measures analysis
Improvement analysis is carried out by controlling failure events of FT in a quantifiable
manner, and in every analysis, the top improvement of top event is noted. The risk control
measures in this study have attributes such as: relating to fundamental type of risk reduction
(preventive or mitigating), those related to action and costs required and finally those related
to confidence that can be poured within active or passive limits within the study in ship repair.
3.4.8.13 Costs per unit risk reduction analysis
Cost benefit analysis is carried out by using equation 3.2 (see Section 3.3.3.2) and results from
Section 3.3.3.5. CURR analysis requires the time horizon for this study to be on zero wage and
inflation rate. A discount rate is recommended for analysis to be in the range of 3-6%.
3.4.8.14 Compare effective CURR and RCM
This step is to compare improvement in RCOs and values obtained from CURRs. This study
shows that the benefit of a measure outweighs the approximated costs. A base case approach
is usually encouraged to be used in ship repair industry, where available facts are published
and obtainable.
3.4.15 Decision making
Select the best RCO which reduces risk to desired level. The desired level judgement is by
results obtained from detailed FTA. Ranking of RCOs is required for effective management of
resources where appropriate. Risk reduction to a desired level must be cost effective.
Guidelines are required to be adopted from both the individual and societal type of risk
perspective and should be considered for decision making in ship repair industry. To increase
safety awareness among workers, safety culture must be somehow gained through an effective
decision making process. The strength of supervision and adjustment of safety management
policy are needed to decrease the occurrence rate of fatal accidents through FSA.
96
3.5 Application of FT-FSA in Dry-docking Operation: Fall from Height
3.5.1 Definition of work
The occurrence of occupational accidents in shipyards can be associated with risk factors from
multiple perspectives such as workers, working environment, social environment, natural
environment, and safety regulations. Because of the work force requirement under hard
working conditions and the fatality frequency count for the employment group, the production
process in shipyards can be identified as a hazardous occupation (dangerous job). Risks of
occupational accidents in shipyards are given below (Baris, 2012).
3.5.2 Risk ranking
Data analysis shows three of these accidents occurs most frequently and causes major accident
severity in shipyard. These accidents are: (a) Hit/stuck by object, (b) Fall from height and (c)
Slip/fall. Lack of sufficient data, limited this study to “fall from height and slip/fall”, to
appreciate the application of formal safety assessment in a generic shipyard. “Hit/struck by
object” not used, remains an area of interest to be considered in the nearest future. Table 3.11
shows the description of these accidents. It should be noted that, under major accident slip/trip,
the subcategories of accidents include: on wet surface, dry surface, obstruction, and others. For
accident fall from height, it could be subcategorised into either high or low fall.
Table 3.11: Accident categories and description
Categories/sub-categories Description
1. Slipped, tripped or fall from same
height
1.1 wet surface Due to spelt liquids, cargo residues, raining
weather
1.2 dry surface Cargo residue, dry surface
1.3 obstruction Dummage, scrap metal, welding rods
1.4 uneven -
1.5 other Other sources of slipped/trip
1.6 unknown -
2. Fell from height Description
2.1 high fall Height above 20m either scaffold, side of ship,
gangway failure
2.2 low fall Below 20m falls
2.3 unspecified Unspecified to this subject
97
3.5.3 Risk matrix & generic locations
A risk matrix approach is used in the hazard screening process. For each appropriate
combination, an assessment is made of the frequency (F) of the accident, and the severity (S)
of the consequences in terms of human injuries/death, property damage and the degradation of
the environment as in Tables 3.12 & 3.13. The area in the risk matrix, whereby risk is
intolerable is with RRN number 4, 5 and 6. Areas with RRN less than 4 are regions where by
risk can be ignored. This is shown in Table 3.3. Severity of identified hazards is classified as
S1, S2, and S3. The rate of likelihood of hazard happening is ranked as F1, F2, F3 and F4. The
corresponding risk ranking number (RRN) is then selected from the matrix table as in Table
3.2 (see Section 3.3.3.2). Generic locations are descriptions of typical areas in shipyard where
most of operational activities take place. These areas are shown in Table 3.14. Risk matrix is
required to calculate the equivalent total, which is used to evaluate the risk of identified
hazards.
Table 3.12: Interpretation of the frequencies F1-F4
Likely to happen on the shipyard General interpretation
F4 : 1- 12 months Frequent
F3: 2-3 years Likely to occur
F2: 5-10years Remote
F1: over 10 years Unlike to occur
Table 3.13: Shows the severity level in a typical shipyard industry
Severity value General interpretation Generic shipyard
S1 Minor injury - Negligible lost time - Property damage or remedial cost <$5,000
S2 Major - 60 days lost time - Property damage or remedial cost >$75,000 but
< $100,000
S3 Fatality - Property damage or remedial cost > 100,000
Table 3.14: Fall from height using risk matrix ranking
Accident Generic Location
Accident sub-
category
Above Deck Shipside Walkways/gangway Below deck
High fall F3S2=4 F2S3=4 F4S3=6 F4S2= 5
Low fall F4S2=5 F3S3=5 F2S2=3 F3S2=4
Unspecified F1S2=2 - F1S2=2 -
98
3.5.4 Calculating equivalent total - fall from height
The next step is to calculate the “equivalent total”. This provides a means of integrating the
risks evaluated for each hazard of the accident sub-category. It also provides a means of
estimating each accident category to determine and justify the allocation of resources- to
eliminate or reduce the risk (Wang, 2007). Table 3.15 is generated from 5 and this shows the
number of times each RRN appears within an accident category. (Only values greater than 3
are considered).
Table 3.15: Number of occurrences of each ranking score for fall from height
RRN No of occurrences
4 3
5 3
6 1
Equivalent total calculation makes use of the fact that both the frequency and severity bands of
the risk matrix are approximate logarithmic (e.g. risk level of 6 is treated as 106). Using 3 as a
base number then the following can be obtained from Table 3.14.
Equivalent total = 3 + log (300+30+1) = 5.62
Results obtained from step 1: A total of 5 hazards are identified to be associated with
accident, fall from height (5); lack of training, improper design of scaffolding, poor
communication, and gangway give up. The two most prominent hazards, identified from data
collected include; obstruction in shipyard which leads to slip/fall and scaffold failure as
presented in HAZID worksheet Table 3.16.
Table 3.16: Present HAZID worksheet for hazard due to scaffold failure
3.5.5 Risk estimation, fall from height due to scaffolding failure
Fault tree is used in risk engineering to analyse the frequency of system failure either
qualitatively by logical and structural hierarchy presentation of failure events or quantitatively
by the estimation of occurrence rate of the top event. The top event is fall from height due to
scaffolding failure in shipyards and the frequency of occurrence as obtained from Program-
Based Engagement for Scaffolding WSH, is 15 per shipyard year (WSH, 2006).The total risks
Hazard
description
Causes Effects Accident
category
Frequency Severity Risk
level
Improper design
of scaffold
Inexperience in
design, lack of
proper supervision.
Vulnerability to
severe injury or
potential death,
Fall from
height
F3 S4 3
99
summarised in this study include, structural damage, potential loss of life, and financial cost
incurred if this hazards occurs. The potential risk caused by fall from height due to scaffold
failure is estimated to about $159,350 in fines a year from statistics from OSHA reports:
“Improperly erected scaffolding and failure to train workers on the hazards of working
with scaffolding which resulted in the deaths of five workers and injuries to ten more
resulted in citations against three New York contractors - Nesa, Inc, Tri-State
Scaffolding & Equipment Supplies, Inc., and New Millennium Restoration &
Contracting Corp., - and $159,350 in penalties, according to the U.S Times report.”
The failure rates assigned to basic events in this study is an approximation due to lack of data.
Nevertheless, the event table constructed in Table 3.17. Figure 3.8 presents the final result
when using the fault tree analysis. Failure rates obtained from expert judgements.
Table 3.17: Basic event with failure rates assign
Events Failure Rate Event Failure Rate Events Failure Rate Events Failure Rate
1 0.0015 5 0.003 9 0.07 13 0.08
2 0.009 6 0.004 10 0.001 14 0.01
3 0.002 7 0.001 11 0.02 15 0.005
4 0.008 8 0.006 12 0.002 16 0.015
17 0.009
Total cost at failure rate (0.2831) = $160,000
Figure 3.8: FTA results obtained from fall from height due to scaffold
100
This result indicates that, the failure rates of basic events leads to the occurrence probability of
top event. Therefore, in further examination of this FTA, reducing or increasing the failure
rates of basic events leads to reducing or increasing the occurrence probability of top event
respectively. With this principle, risk control measures can be developed, and hence risk
control options obtained as further discussed in step 3. Table 3.17 presents the risk control
measures required to control these failure rates. The potential risk if these options are not
implemented includes loss of life, loss in production cost/fines, and structural damage
(requiring re-designer). Results obtained, shows the occurrence probability of top event (Fatal
fall from scaffold) is 0.2831, and the number of cut sets is 36, t=100hrs. This is obtained by
using the FTA software package, as hand calculation for such complex fault tree is difficult to
obtain. Figure 3.9 shows the unavailability (Q) of event, fall from height.
Figure 3.9: Results showing the unavailability (Q) of event fall from height
3.5.6 Risk control option-fall from scaffolding
In this step, the first goal is to provide evidence based on the results obtained in Section 3.4.6,
whereby reducing the failure rate of basic events leads to reducing the occurrence probability
of top events. Failure rates reduction can be carried out by using the appropriate risk control
measures. From step 2, a total of 17 risk control measures can be obtained, and are grouped
into four risk control options as shown in Table 3.18. In this step, each risk control option
would be reduced by some percentage, and the reduction of top event occurrence probability.
Table 3.18: Risk control option log
RCO1
Attribute
Stakeholders
RCO2
Attribute
Stakeholders
RCO3
Attribute
Stakeholders
ROC4
Attribute
Stakeholders
Provision of PPE at all times
Preventative & mitigating
Designers, supervisors, workers, shipyard owner, ship owner
Improvement of design
Preventive & mitigating
Designers, supervisors, workers, shipyard owner, ship owner
Improvement of housekeeping/maintenance/inspection
Preventive & mitigating
Designers, supervisors, workers, shipyard owner, ship owner
Training improvement for workers in height
Preventive & mitigating
Designers, supervisors, workers, shipyard owner, ship owner
101
From Figure 3.9, the occurrence probability of top events is obtained (0.283), and areas of high
risks to be addressed or control noted as in Table 3.19.
Table 3.19: Failure rates values for basic events
Basic Event and
areas of risk control
measures required
Failure Rate Risk Control
measures grouping
Potential Risk
1.lack of scaffold
designer knowledge
0.0015 Loss of life Structural
damage
Loss of
production
cost/fines
2. lack of fall arrestor
designer knowledge
0.0015 - - -
3.Poor scaffold
installation
0.009 RCO2 - - -
4. Poor fall arrestor
installation
0.009 - -
5. PPE not provided 0.004 RCO1 - - -
6. Negligence put on
PPE
0.001 - -
7. Poor scaffold
material
understanding
0.003 RCO3 - -
8. Poor Fall arrestor
material handling
0.02 - -
9.lack of material
compliance
0.001 - -
10. Poor material
inspection
0.02 RCO3 - -
11. Poor material
maintenance
0.02 - - -
12. Poor material
house keeping
0.002 -
13. Poor material
record keeping
0.08 RCO3 -
14. Tiredness 0.006
15. Lack of Training 0.07 RCO2 --
16. Negligence
17. Supervisors lack
training
0.005
0.01
102
RCO1: 15% reduction in failure rates of basic events 6 & 7
Reducing the failure rate of some basic events would be vital to illustrate to the different
stakeholders, owners and designers need for improving safety in shipyards. Therefore, reducing
failure rate of events 6 & 7 indicates proper implementation of RCO1 as in Table 3.20. It should
be noted that, the other basic events remain unchanged. The FTA is carried out as shown in
Figure 3.10 and the results shows the occurrence probability is reduced from 0.283 to 0.116
(59% reduction).
Table 3.20: 15% RCO1 improvement
Risk control
option
Risk control measures Initial basic event
failure rate
Improve basic event failure
rate
RCO1 Improve provision of PPE
Improve training on need of PPE
Event 6 = 0.004
Event 7 = 0.01
15% Event6 = 6.0e-4
15% Event7= 2.5e-3
Fig 3.10: FTA of 15%RCO improvement
15% failure rate reduction
103
RCO2: 85% reduction in failure rates of basic events 1, 16, 17, & 2
In this light, in order to reduce the occurrence probability of top event, other failure rate of
basic events must be reduced. In this case, reducing the failure rates of events 1, 16, 17 & 2,
by 85%, would lead to implementation of risk control options 2 as in Table 3.21. The results
obtained in Figure 3.11 show the occurrence probability of the top event is reduced from 0.2831
to 0.211 (25% reduction).
Table 3.21: 85%RCO2 improvement
Risk control
option
Risk control measures Initial basic event
failure rate
Improve basic event failure
rate
RCO2 Improve fall arrestor design
Improve scaffold design
Improve scaffold installation Improve fall arrestor installation
Event1 = 0.015
Event16 =0.015
Event 17= 0.009 Event 2= 0.009
85% Event 1 =1.2e-3
85% Event 16= 1.2e-3
85% Event17=7.5e-3 85% Event 2 = 7.5e-3
Figure 3.11: FTA of 85%RCO2 improvement
85% failure rate reduction
85% failure
rate reduction
104
RCO3: 40 % Improvement in failure rate of basic event
Improving the failure rate of basic events 12, 5, 10, 11, 3, 4 and 13, by 40% means RCO3 is
well implemented as in Table 3.12. The results obtained from Figure 3.1 shows the occurrence
probability of the top event is reduced from 0.2831 to 0.097.
Table 3.12: 40%RCO3 improvement
Risk control
option
Risk control measures Initial basic event
failure rate
Improve basic event
failure rate
RCO3 Poor scaffold material handling
Poor fall arrestor material handling
Lack of material compliance Poor scaffold material handling
Poor material handling
Poor fall arrestor record keeping Poor scaffold record keeping
Event 12 = 0.002
Event 5 = 0.02
Event10=0.001 Event 11= 0.02
Event 3= 0.002
Event4= 0.008 Event 13=0.08
40% Event12= 8.0e-4
40% Event 5= 1.2e-3
40% Event10=4.0e-4 40% Event11=8.0e-3
40% Event 3= 8.0e-4
40% Event 4= 3.2e-3 40% Event13=3.2e-3
Figure 3.12: FTA of 40%RCO3 improvement
40% Failure reduction of events
40% Failure reduction of
events
105
RCO4: 35% Improvement of some basic events
Improving the failure rate of basic events 8, 9, 15, and 14 by 35% means that, RCO4 is well
implemented. This could be seen in Table 3.13. Results from Figure 3.13 shows the occurrence
probability of top event is reduced from 0.2831 to 0.076.
Table 3.13: 35% RCO4 improvement
Risk control
option
Risk control measures Initial basic event
failure rate
Improve basic event failure
rate
RCO4 Improve awareness on tiredness
Improve training at height
Zero tolerance on negligence
Improve supervisors knowledge
Event 8 = 0.006
Event 9 = 0.07
Event15= 0.005
Event14 = 0.01
35% Event 8 = 2.1e-3
35% Event 9= 2.4e-2
35% Event 15= 1.75e-3
35% Event14= 3.5e-3
Figure 3.13: FTA of 35%RCO4 improvement
35% Failure
reduction of events
35% Failure
reduction of
events
106
3.5.7 Cost benefit assessment
The results obtained from Step 3, shows a reduction of the occurrence probability of the top
event is achieved by reducing failure basic rates of basic events. These risk control options are
presented in Table 3.24.
Table 3.24: Results obtained from step 3
Risk
Control
Options
Initial Occurrence
probability of top event ( I)
Re- Calculated occurrence
probability of top event ( R)
Differences % Reduction
( I-R/I)*100
RCO1 0.283 0.116 0.167 59%
RCO2 0.283 0.211 0.072 25%
RCO3 0.283 0.097 0.186 65%
RCO4 0.283 0.076 0.207 73%
This step aims at identifying and quantifying the cost to be paid and benefit to be expected
when each RCO developed in step 3 is implemented. Each RCO is evaluated in terms of
implementation cost and benefits, and this is achieved by establishing the total implementation
cost and then deriving its associated cost per unit reduction in risk (CURR). This could be seen
calculated by equation below (Lee, 2002):
NPV = (3.6)
where B and C are benefit and cost, respectively, r is discount rate of 3%, t is the measure of
time horizon from 0 to n years, and i is inflation or wage increase. For the four RCOs selected
to be analysed in this study, CURR could be calculated by the difference between the cost and
benefit divided by the risk reduction. Table 3.24 shows the different implication of these RCOs.
For example, the cost proposed by OSHA for providing training to workers at height is $15,000
a year (RCO4). The benefit enjoyed from implementing these risk control option would reduce
the occurrence probability, “for fall from height due to scaffold failure”, by 72% hence, ripping
a benefit of 10, 800 (72% of 15,000) in Table 3.25.
Another example is presented with cost estimated for improving scaffold material,
maintenance, housekeeping and record keeping (RCO3) to be $ 25,000 a year. The occurrence
probability of the top event is reduced to 65% when RCO3 is implemented in step 3. In this
light, the benefits obtained upon the implementation of RCO3 is $16,250 (65% of 25,000)
presented in Table 3.25 from which CURR3 is calculated.
tn
t r
icbCURR
0 1
1
107
Table 3.25: Summary of cost-benefit assessment
Stakeholders RCO1 RCO2 RCO3 RCO4
Cost( C1) Benefit
( 59%C1)
Cost(C2) Benefits
( 25%C2)
Cost( C3) Benefit
( 65%C3)
Cost(C4) Benefit
( 72%C4)
Shipyard owner/
operator/ Designer/Installer/reg
ulators
5000 2,950 9500 2,375 25,000 16,250 15,000 10,800
Total in $ 5000 2,950 9500 2,375 25,000 16,250 15,000 10,800
Risk reduction 1 2 3 4
Assuming that the time horizon for the safety assessment is for 10 years at a discount rate of
3%, and using equations1, the CURR calculation for each RCO is given as follows:
= $17,486
= $30,385
= $24,882
= $8,956
These results show RCO4 is the best option to implement. This may be recommended to for
implementation, with RCO2 being the worst option.
3.5.8 Recommendation for decision making
It is noted clearly from the calculation that, if CURR is used as the only measure of
effectiveness in the decision-making process, the most effective RCO would be RCO4. RCO1
would be the next and RCO2 the least effective according to the CURR calculations. However,
initial benefits for implementing RCO3 are higher than those of RCO4 as in Table 3.25. This
strongly indicates the shortcomings of using CURR as the sole tool for decision.
10
0 1
03.01295050001
t
t
CURR
10
0 2
03.01237595002
t
t
CURR
10
0 3
03.0116250250003
t
t
CURR
10
0 4
03.0110800150004
t
t
CURR
108
Chapter 4 – Use of a Fault Tree – Bayesian Network for Dry Dock Risk Analysis
Summary
Shipyards are complex systems with economic functions; they are subject to specific harsh
environmental conditions and are built mainly in areas with increasingly corrosive activity.
This chapter focuses on one particular dry dock type called ‘relieving graving dock’
reinforced with concrete. A detailed quantitative risk analysis with novel fault tree-Bayesian
network mapping algorithm is used to rank the most dominant failure mechanisms in terms of
risks. The results of this analysis will be a guide for the design, construction and maintenance
phase of graving docks applicable to any critical component identified from a risk analysis
perspective. The research results should be valuable in enabling industrial participants to
manage large engineering risk projects and extending understanding of ship repairing.
4.1 Introduction
In recent years, safety analysis has played an important role in the verification of system safety
and avoiding casualties and property losses. Actually it is difficult to verify dry dock safety
using traditional computer software engineering analysis such as fault tree (FT) ++ given the
dependency among the risk factors/events.
As an important way for verifying safety in graving dry docks, the fault tree-Bayesian network
(FT-BN) has attracted more attention in practice (Cai et al., 2010). However, it is still an open
question as to how marine safety analysts could make FT-BN more efficient. With the
development of science and technology, modern ships have grown in size, while the
relationships between upgrading graving docks’ equipment and structures of these huge ships
have also become more and more complex. The system safety, operational efficiency, life
cycle cost control, and maintenance of docking systems have encountered a lot of challenges
in terms of practical application (Cai et al., 2010).
Maintenance actions suggested from hazards identify that more detailed risk analysing
techniques are required to avoid catastrophic failure in graving dry docks. Various parties
(operators, shipyards, regulators, and government) in their respective working context are very
often involved in a sequence of events leading to accidents in graving dry docks, such as the
collapse of dry dock gates. This is the most critical issue in graving docks, thus there is a need
to develop an effective risk or accident analysis to avoid future operator errors. For the past
decades, risk analysts in dry docks have proposed techniques such as Fault Tree Analysis
109
(FTA), Failure Mode Effects and Critical Analysis (FMECA), and Fuzzy Set Theory (FST).
In these methods and technologies, FTA, which generates the use cases by the minimal cut
sets of fault trees, cannot determine the priorities of all the use cases and cannot utilise the
finished test results (He and Tao, 2011). A more applicable approach to solve this problem is
by transferring FT to BN (described in this chapter), expressing the information in fault tree
and Bayesian networks together. The layout of this chapter is presented in Figure 4.1.
Figure 4.1: Flow chart of the development of study
In this chapter, a quantitative approach in the reliability evaluation method of the dry dock
failure analysis of a caisson gate of a graving dock has been studied for the application of BN
transferred from a fault tree. Section 2 presents the statement of the problem in the graving
dock reliability analysis. Section 3 presents the two typical steel sliding gates used in this
study. Section 4 is a review of FT-BN applications in engineering. Section 5 is an overview
of converting a fault tree to its corresponding Bayesian network. Section 6 is the illustrative
example of the failure analysis of a dry dock gate highlighting the system reliability. Section
7 is the framework of overcoming the problems of constructing conditional probability tables
(CPTs) of a large Bayesian network. Section 8 presents a case study of applying a large BN
analysis of a sliding dry dock gate at Birkenhead, Liverpool, UK. Section 9 provides the
discussions and conclusions.
2. Analyse the issue/problem and set up a goal
(Statement of Problem)
3. Typical dry dock gate review
4. Application of fault tree-Bayesian network
5. Converting fault tree to Bayesian network
(Selection of Fundamental Risk Model)
6. Illustrative example
(Maritime Application)
7. Constructing Large Bayesian network
(Applicable to Floating Dry Docks)
Hazard
Identification
and Ranking
Risk
Analysis and
Estimation
Literature
survey
Discussions
with experts
Brainstorming
technique
Expert panel
meeting dates
Risk Control
Measures
8. Fault tree Bayesian network in large dry dock
gate risk assessment (Case Study)
9. Recommendation for Decision Making
1. Introduction
110
FTA is an important verification methodology for graving dock risk analysis. It is a top down
technique used to analyse the origin of the failure, determine the graving dock safety
requirements, detect the logic of errors, identify the multiple failure sequence involving
different parts of the system (such as human and hardware). It provides an analytical tool to
determine appropriate input data in graving dock analysis. FT can be used to analyse systems
in the field of probabilistic risk assessment. However, traditional FT cannot handle sequential
and functional dependencies between components (Shao et al., 2011).
BN is a directed acyclic graph used to represent uncertain knowledge in the field of graving
dock risk analysis. This is defined to consist of qualitative and quantitative relations (Burton,
2001), and because of the advantages of uncertainty and conditional independence expression,
the BN provides a comprehensive method of representing variable states and variable
relationships. In addition, the BN presents these things by graphical diagrams of nodes and
edges, BN can be understood more easily than many other techniques (Zhang and Guo, 2006).
Besides, an efficient method (Wojtek and Milford, 2006) can make the conversion of fault
trees to Bayesian networks easy. In a BN, the nodes represent a random variable; the arcs
signify the existence of direct causal influences between variables, and the strengths of these
influences are expressed by forward conditional probabilities (Wang and Xie, 2004).
Accordingly, this provides BNs with the ability to calculate posterior probabilities of unknown
variables in graving dock failure analysis based on the variable evidence and conditional
probability distributions. It is proved that the BN is suited for equipment failure prediction,
especially for the complex equipment under uncertainty (Cai et al., 2010). The BN provides a
promising framework for system reliability assessment (Angrig and Kohlas, 2005; Kral et al.,
2005) in the ship repair industry. Based upon the analysis of BN by inputting prior information
of the dry docking system failure, the probabilities of the fault occurences are effectively
computed based on which proper preventive maintenance strategies can be established (Jong
and Leu, 2013). This research however proposes a FT-BN risk analysis approach with the
focus on dealing with uncertainty in data as a standalone characteristic of risk linked to each
foreseen operation, applicable to any other critical component in graving dry dock highlighted
to enhance safety certifications from a perspective of risk analysis. Lastly, due to the BN’s
powerful ability of modelling uncertainty propagation and updating through the nodes, it can
overcome the disadvantage of earlier upgrading methods where information from the system
level cannot be transformed to the component level.
111
4.2 Problem Definition
Risk analysis involves two basic types of uncertainty. The first is due to inherent randomness
in the phenomenon and the variables chosen to model it. The second is due to inaccurate
modelling, insufficient data, etc. This research is concerned mainly with this second, or
epistemic, source of uncertainty, and its propagation through a risk analysis involving rare
events such as the collapse of a dry dock gate (Castillo, 1999). In standard analysis, model
parameters are assumed to be constant values, however, on many occasions these parameters
are difficult to assess or are estimated. Thus, their initial deterministic character is considered
to be inadequate and parameters are assumed to be random variables. When this occurs and
the aim of the analysis is to monitor the effect of this randomness on a given target variable,
we say that we are dealing with an uncertainty analysis (Castillo, 1999).
In the case of FT or BN models, the input uncertainties associated with the basic fault event
or conditional probabilities (the parameters) are propagated through the model to obtain the
corresponding uncertainty associated with the probability of the top event in dry dock gate
failure. Since fault tree models are an integral part of FSA, the propagation of input parameter
uncertainties through such models to arrive at the corresponding uncertainty in the probability
of the top event, that is, the system unavailability, is of fundamental importance (Castillo,
1999). In traditional FTA the probabilities of basic events are treated as exact values, which
could not reflect the situation of a dry dock gate system because of the ambiguity and
imprecision of some basic events. In many circumstances, it is generally difficult to estimate
the precise probabilities of basic events. Thus, it is often necessary to develop a new method
to capture the imprecision of failure data. In this regard, it may be more appropriate to use BN
(Yanfu and Min, 2012).
Marine works have been subjected more and more to risk analysis over the past few decades;
for example, fishing vessels, ports, marine transportation, offshore support vessels,
containerships, LNG ships, ship hull vibration, crushing ships, liner shipping, high-speed
crafts, oil tanker, passenger roll on/roll off (roro), vessels with dangerous goods and bulk
carriers (Nwaoha et al., 2012). Costal structures like wind turbines (Sorensen et al., 2004),
optimisation of harbours (Billard et al., 2007) and harbour monitoring (Yanez-Godoy et al.,
2006) for reliability are other creative areas of risk analysis carried out in marine areas beyond
ships and offshore structures. However, the literature review reveals very little on risk analysis
on structures used in bringing ships in and out of water for repair. An example of this type of
112
structure is the graving dock. The graving dock is typical in that it is surrounded by earth on
three sides and has a floatable caisson (or gate) at one end. The walls usually consist of two
sections: thick walls and/or thin walls. An example of such a dock is the Charleston dry-dock
in the USA, reinforced with concrete, which is particularly known as a relieved graving dock
(Wu et al., 1990). To support fleet operations, it is important to maintain the existing dry docks
in a safe condition and to assure that the full capacity of the dry dock is maintained. Each dry
dock needs to be initially certified for its safety and capacity for three to five years. To certify
the safety of a graving dock, the stability analysis of the dry dock is performed using a finite
element analysis. The content of this report is generally based on (Wu et al., 1990):
A material condition survey performed by a field investigation,
structural analysis using a finite element analysis computer program, and
the operation and maintenance procedures provided by the shipyard.
The safety certification of a graving dry dock comprises a structural analysis of geotechnical
characteristics, structural parameters, soil structural interaction, and load cases. These safety
certifications however have not prevented failure happening in graving shipyards. Typical
accidents may include collapse of dock walls due to static lateral soil pressure and dynamic
earthquake loads. A recent accident involving caisson gate failure on 27 March 2002, at Dubai
Dock No 2, one of the world’s largest ship repair facilities, caused uncontrolled flooding of
the dock (Paul, 2011) leaving 21 people dead. Again, if the dry dock is not founded on deep
foundations, such as piles, then a net uplift would result, causing the dry dock to float and tilt.
However, according to Wu et al. (1981), this failure is not likely to occur.
From a risk analysis perspective, the analyst is required to gather enough data to classify a risk
or failure unlikely to occur in a scientific manner, although Wu et al. (1981) analysed structural
risk of graving docks based on their 20 years in the field. In the preparatory study preceding
risk analysis, a detailed study is required to identify critical elements in dry docks. These
critical elements are; dry dock gate, walls, piles, concretes, structural components, and ballast
system control. In the maritime industry, it is necessary to address the issue as to why the
industry normally reactively responds to an accident and then is motivated to modify the
existing safety certification or propose new ones. The safety culture of anticipating hazards
rather than waiting for accidents to occur is based on a detailed risk analysis. Faced by ageing
of these structures, risk analysis faces some challenges. Most recent graving docks trace their
113
origin back over 40 years, with rehabilitation and capacity upgrade to accommodate larger
ships mid-way through this period. These indicators affect the condition diagnosis and ageing
diagnosis of components and facilities in dry docks to adapt maintenance actions for larger
fleets. Again, selecting critical elements for risk analysis becomes difficult since most
components may be at high risk of collapse due to age. In this study, the risk analysis to support
operation and maintenance of an ageing dock gate for the Port of Marseilles authority is re-
visited. The dock gate identified as a critical component is further plagued by age. The
previous study by Crouighneu et al. (2008) was based on FMECA with the methodology
highlighted as follows: (1) to characterise the risk linked to each foreseen operation scenario;
(2) identify the most appropriate actions to control these risks; (3) integrating operation
constraints (e.g. the need to put the dock gate in dry dock); (4) rank actions regarding their
cost/benefit ratio and; (5) building a maintenance plan.
4.3 Dock Entrances and Dock Gates
Dewatering of the dry dock takes place after setting the dock gate, which permits full closing
at the highest predicted water level, and opening at least at the mean level. The gate as well as
its support ‘must safely withstand the largest water pressure from the water side’ was
suggested by Crouighneu et al. (2008). Dock gates should fulfil the following objectives: (a)
great tightness for all possible loading cases; (b) short opening and closing times; (c) easy
servicing and maintenance; (d) mechanical reliability; (e) monitoring of the gate position
during opening and closing; and (f) minimum operation and maintenance costs. Seals should
correct any unevenness of the concrete surfaces which could not be eliminated by grinding.
Another common problem with the gates is protection against corrosion, ice actions, and they
must have sufficient buoyancy to allow them to be placed in their seating and removed for
maintenance repair (Crouighneu et al. 2008). Again, the dock gate as a whole must be
subjected to detailed complex static calculations in order to find the dimension of each
structural element and also to establish interaction of the individual sections and the bearing
elements. The tightness of the dock depends on these individual elements. Lastly, as water is
added to the gate to sink it, the weight of the water causes the centre of gravity to alter as the
gate takes on slight angles, raising stability issues. Many types of dock gates are in use
nowadays. They are classified as floating, sliding, mitre, hinge, and flap gates but only the
sliding gates of Dry dock No. 10 in Marseilles, France and in dry dock at Birkenhead, UK are
considered in this research, where the latter serves as a benchmark study, and the former for
detailed analysis (Mazurkiewicz, 1980).
114
4.3.1 Steel sliding gate, Birkenhead, UK
The gate is constructed on the arc of a circle with a centre line radius of 48.8 m. The radii
through the outer gate subtend at an angle of 610, made of steel 49.1m long, 13.4 m high, and
4.3m wide. The gate has four decks lettered A, B, C and D. A is the Top Deck. On these decks
are the driving winch, control panel, tank gauges, ladders for access at each end, and boxes
for valve operation (Mazurkiewicz, 1980).
The gate is usually controlled from the desk in the control room, from which it is clearly
visible. When the button is pressed, the gate commences to move at 1.4 m/s. The space
between A and B deck is the Tidal Chamber. Tidal flaps, normally held open by wires, allow
the water to flow in from the river and the ends of the gates are also open. When force is
impounded in the dock these wires are released, the flap valves close and valves in the inner
skin are opened. These arrangements prevent any buoyancy being obtained from the upper
chamber (Mazurkiewicz, 1980). Figure 4.2 presents the general arrangement of a sliding gate
in Birkenhead.
Figure 4.2: General arrangement of a sliding gate in Birkenhead, UK (Mazurkiewicz, 1980)
The space between B and C decks is an Air Chamber. By pressurising this chamber the covers
to the sheave chambers below may be removed and maintenance to the rollers carried out
while the gate is in its normal closed position. Between C and D decks are housed the trimming
tanks, the scuttle, the ballast tanks and the sheave chambers. The trimming tanks were
115
designed to enable the gate to be trimmed to an even draught. However, after the gate had
been floated, readings were taken of the draught and permanent ballast was added to bring it
to an even keel; there should not, therefore, be any further need to use the tanks
(Mazurkiewicz, 1980). The two scuttle tanks are used to sink the gate in position and will
normally be left full, only being emptied when it is desired to float the gate out of its position.
When it is desired to empty the scuttle tanks the water can be blown out by air pressure. The
two ballast tanks are flooded when the gate is in the closed position to increase its stability and
prevent any movement due to wave action. Below D deck are the rollers to guide the gate on
its circular path, one pair of rollers at one end, two pairs in the centre at 1.2m centres and two
pairs near the other end at 2.4m centres (Mazurkiewicz, 1980).
During travel the rollers, running against meehanite plates on the central guide-wall, hold the
gate in the centre of the recess, approximately 2.5mm off each meeting face. The gate rests on
steel plates 305mm wide and 63mm thick which slide on meehanite plates set in the concrete.
Structurally the gate consists of two skins and four deck plates. The upper skin between A and
B decks is 3.8mm thick and the remainder 2.5mm thick (Mazurkiewicz, 1980). The quoins
and sill are provided with greenheart faces which bear on granite faces on the inner stop,
precast concrete faces on the impounding stop and a dressed concrete face on the upper stop.
To ensure water tightness a rubber L-shaped strip was fixed to the outer edge of the green
heart-facing pieces (Mazurkiewicz, 1980).
Operationally manoeuvring the dock gate involves pumping ballast out of the caisson until
the dock gate is set afloat and moves into its chambers. The pumping operation is carried out
with four submerged pumps, each of 2,220 m3/h capacity, setting the dock gate afloat within
about 15 minutes. The layout of the suction and delivery pipes of these pumps also makes it
possible to draw water from the dock or to empty an adjacent ballast compartment.
The dock gate is shifted by a longitudinal sliding motion, brought about by: (1) a 2-pile system,
sliding vertically within frames attached to the outside face of the structure, and sliding
horizontally within the steel grove; (2) a hauling trolley actuated by a 2-stroke 250KN winch.
When actuated this trolley is attached on one side to a rail horizontally affixed along the gate
garage. When the gate is being closed, operations are reversed. Precise sitting when stranding
the gate is obtained: (1) transversely, by projecting stops which are integral with the sill and
designed for guiding metal ball fitted parts on the underside of the dock gate; (2) longitudinally
by bumpers on the wall of the pumping station (Mazurkiewicz, 1980).
116
4.3.2 Dry dock No.10., Marseilles, France
Another type of dock in this study is the dry dock No 10, in Marseilles, France, with
dimensions of gate chambers as shown in Figure 4.3. The chamber walls are made as
reinforced concrete walls and reinforced concrete angular walls supported on piles. Stability
was ensured by installing ground anchors. This pre-stressed concrete structure has the
following dimensions: length 87.35m, width 15m, height 13.5 m (Figure 4.4), where 1 is the
guiding post, 2 is the service road, 3 is the sealing system, and 4 the bearing-panel block. In
elevation, the dock gate consists of 28 identical cells, of 5.82m x 6.64m inner size, grouped
into four ballast chambers (Mazurkiewicz, 1980).
Figure 4.3: Dock gate chamber of the dry dock no. 10, Marseilles, France (Mazurkiewicz, 1980)
The dock gate is a self-stabilising pre-stressed concrete caisson that behaves like a gravity
dam. When closed, the dock gate is supported along two lines: one on the seaward side
conveying to the sill vertical reactions that compress the sealing system (Figure 4.5); the other
on the dock side, transmitting the horizontal water pressure components in addition to the
vertical reactions to the sill. Due to the sliding nature of these gates, the water pressure is
transferred to the dry dock sidewalls and the sill. As a result of gate deformations, the greatest
forces are transferred to the sidewalls at the water surface, and to the sill along the axis of the
dock. This requires sealing on the side surface of the gate, which also influences the cross-
section, which is generally rectangular (Mazurkiewicz, 1980).
To ensure the proper tightness it is advisable, in the light of the above remarks, to construct
the sliding tracks so as to permit some side movement of the gate. During the sliding operation
the gates are ballasted in such a way that their total reaction on the sliding tracks does not
exceed 100 KN. They slide along rails on the dock sill on special wheels fastened to the bottom
117
of the gate, or on rollers. They can also slide on smooth surfaces. In some cases the gate
support is only a wooden or steel beam sliding on the smoothed bed surfaces or on loose rollers
in special boxes (Mazurkiewicz, 1980).
Designs without rails will ensure better tightness of the gate because the gate, owing to its own
weight and the ballast, will press towards the slide surfaces, thus creating additional horizontal
tightness. The structure is entirely pre-stressed. The floor slab, the sidewalls and upper deck
are pre-stressed in both directions (Mazurkiewicz, 1980). The cables employed are protected
by rigid sheaths, the continuity of which is maintained by special sealed sleeves. The minimum
draught of the dock gate (8m) permits it to be accommodated in any dry dock for repairs.
Vertically, water-tightness is ensured by two metal vanes, rimmed with rubber and tightly
squeezed flat by the water pressure. Water tightness at the base is ensured by a pre-stressed
rubber seal, flanked and protected by pieces of azobe wood (Mazurkiewicz, 1980).
Figure 4.4: Cross-section of the dock gate Figure 4.5: Sealing system (Mazurkiewicz, 1980)
4.4 The Application of a Fault Tree - Bayesian Network
4.4.1 Safety criticality software analysis
Hobbs and Developer (2012) of QNX software systems said, ‘using Bayesian belief network
to express fault tree, allows incorporation of both hard and soft evidence into analysis of a
system in a quantifiable way.’ In applying the FT-Bayesian network to a neutrino microkernel
a fault tree was developed guided by product history over the period 2002 to 2009. The top
event was ‘QNX Neutrino can fail’. FT was mapped to Bayesian network to incorporate soft
evidence about field failures rates, and calculate the resulting post-probabilities. Reports of
failures in the field with field usage figures to estimate the failure rates were obtained and used
in the fault tree. Sensitivity analysis was carried out to find the values to which the final result
was most sensitive.
118
4.4.2 Feeding control system analysis
In 2011, Khakzad et al. (2011) compared Fault Tree and Bayesian Network approaches.
Though this research took a ‘comparing’ approach, ‘mapping’ was the more efficient term to
use. Using fault Tree and Bayesian Network as a failure analysis technique, the applicability
of this approach to the performance of ‘a feeding control system transferring propane’ from a
propane evaporator to a scrubbing column was tested. All components were assumed binary
(work/fail). Six basic events were identified and three intermediate events. Occurrence
frequency data of primary events that would contribute to the occurrence of top events were
assumed. Considering these probabilities, the prior probability of the top event was calculated
as 0.270. ‘Index improvement method’ was used to determine events with a higher index, by
keeping some particular event absent. Again, mapping of Fault Tree to Bayesian Network was
done to test FT-BN conversion approach. The prior probability was 0.270 using the ‘Hugin
Software’. This improvement analysis showed the same results as FTA highlighted. In their
work, Khakzad et al. (2011) further calculated the posterior probability to reflect the
characteristics of an accident, claiming that ‘posterior probability has advantages over prior
probability’. They further stated that ‘posterior probability allows for updating using latest
accidents information and abductive reasoning’. Calculations to determine the posterior
probability of root nodes were carried out and tabulated. In this same study, they made mention
of ‘posterior joint probability’, and rounded up by indicating various modelling techniques in
Bayesian networks such as multi-state variables and dependent approach with new variable.
Finally, in comparison with other authors, this work was much detailed and gave solutions in
dealing with expert opinions and other modelling techniques.
4.4.3 FPSO collision analysis
Carried out in the UK, this work was quantitative in nature with the use of FTA to calculate
the occurrence of the top event and later mapped to the Bayesian Network for further analysis.
A study was carried out by Eleye-Datuab (2005), where the transfer of oil from floating
production storage and offloading (FPSO) oil tanker was examined. Collision rates were
established relating to the varying ways a collision may occur. A fault tree was developed and
frequency of collisions for FPSO was estimated. Using ‘Hugin software’, a Bayesian Network
model was created, showing two influencing nodes, ‘shuttle tanker’ and ‘support vessel’, with
one influencing node, ‘collision-FPSO’. The model was run, giving 5% probability of impact
and 95% probability of no-impact for ‘collision-FPSO’. A scenario was then initiated in the
119
model whereby the probability of impact was increased to 100%, and the probability of loss
of shuttle tanker went up from 7% to 50%. From the point of view of using the software
package, this research provided a detailed analysis.
The following are highlighted from the literature review: (1) the Hugin software and
GeNieVer2.0 were applicable as reviewed, where the former is used for BN analysis, and the
latter used as conversion algorithm software; (2) three authors were motivated to test the
hypothesis that ‘every fault tree can be converted to its corresponding BN’ for better analysis.
The results studied proved successful. The use of the minimum cut set approach before
conversion was observed. This was quite unusual, due to the fact that the model was not
complex. This implies that a direct conversion algorithm may vary depending on the size of
the model. The focus of all authors is mapping FT to a corresponding BN so that the
advantages of using a BN can be further incorporated into the analysis.
4.5 Fault-Tree Bayesian Network Mapping Algorithm
A study on the conversion methodology is appropriate in understanding the building of the
BN associated directly with the fault tree as seen in Figure 4.6 (Khakzad et al., 2011). In order
to facilitate reasoning, two principles are suggested by Shao et al. (2011) as a ‘MUST
consider’: (1) the nodes of the Bayesian network are associated with the events of fault trees;
(2) the distribution of conditional probabilities in the Bayesian Network is the reflection of the
logic gates in the fault tree. In mapping, detailed consideration should be given to the type of
Boolean gate used. A simple representation Figure 4.7 presents the corresponding rule with
nodes.
Figure 4.6: Mapping FT to BN Figure 4.7: The ‘OR’ and ‘AND’ gate in FT and BN
120
With OR gates, Pr is [0, 1, 1, 1] and Pr [0, 0, 0, 1] for AND gates where Pr is probability of
parent nodes’ link to child. In reliability evaluation of a mechanical system, Bobbio et al.
(2001) and Wojtek and Milford (2006) stated that building the Bayesian network is directly
associated with its fault tree. Shao et al. (2011) further highlighted the difficulties in
conversion process of large and complex systems. They stated, ‘conversion needs to redraw
the nodes and connect them while correctly enumerating their prior probabilities and
conditional probabilities. Actually, it is not easy to accomplish this task in practice.’
To overcome these difficulties, detailed work carried out by Wojtek and Milford (2006) titled
‘An efficient framework for the conversion of fault trees to diagnostic Bayesian network
models’, presented an observation list and fault tree. Fault trees, they said, ‘deal[s] in truth’,
whereas diagnostic networks ‘deal in observations of the truth.’ They further highlighted the
need of a semantic checking and adjustment in the conversion process.
Wojtek and Milford (2006) are hailed as the masters of conversion from fault tree to Bayesian
network, with the use of Graphical User Interface software with the aid of FT files created in
“iGrafx” and BN files in “.xdsl”. It is further claimed that this software, implemented entirely
in C++ and running under Windows 2000 and XP, has been tested on a number of real-life
FTs, ranging from small size nodes of 20 to 800 (Wojtek and Milford, 2006).
In brief, demonstrating how this software is utilised, ‘the thermal control system’, consisting
of 23 nodes, was illustrated for conversion of fault tree to BN in their study. However, no
researcher has implemented this software since its initiation in 2006, due to the fact that
published FT-BN research has avoided the use of large nodes, hence using the available
conversion algorithm based on basic conversion requirements.
First the FT is used to create the structure and parameters of the BN, then observation nodes
from the observation list, which augments the domain knowledge contained in FT, are inserted
into the BN on basis of the following: (a) the leaf nodes are independent of each other. Each
node appears only once in the tree and two different nodes representing exclusive failure
modes of the same component are connected with an XOR gate node, such as the states of
valve: open and closed; (b) the FT nodes are interconnected by links, so that they form a
directed tree.
Thus, for every two nodes there is a unique path connecting them – loops are not permitted;
(c) the mapping algorithm study among the six researchers reviewed in this paper: one used
four steps, two used five, and three used six steps in converting fault tree to corresponding
121
BN. The most elaborate of these for detailed reading and understanding is as referenced
(Wojtek and Milford, 2006). It is however difficult to identify the originator of these steps.
Four papers however reference Wojtek and Milford and dates from references point to them
as authors. Though all drew inspiration from Wojtek and Milford’s (2006) conversion
algorithm, none used their proposed software. These steps include:
1. Create a corresponding node in the Bayesian network for each event in the fault tree.
2. Set the name and identifier of the corresponding node in the Bayesian network using
those defined in the fault tree.
3. Assign to each node of the Bayesian network the corresponding different states, such as
failure and success.
4. Connect those nodes of the Bayesian network as they are connected in the fault tree.
5. The root nodes of the Bayesian network correspond to the event nodes of the fault tree
prior probabilities according to their respective states.
6. All the nodes that have parent nodes in the Bayesian network need conditional probability
tables, which can be obtained from statistical data and expert experiences. This
conversion algorithm however fails to stress the point where ‘common failure’ exist
among nodes. Again, it fails to provide a re-numbering method when it comes to using
its software to avoid getting wrong results and to construct the conditional probability
table of posterior probability accordingly.
Step (7): a new step is introduced on nodes where FT-BN dependency is identified. If base
event E8 and E9 are ‘common failures’, then its representation in BN is E8=E9 linked to the
same node (either ‘AND’ or ‘OR’), and a re-numbering system is suggested as ‘E89’, ensuing
events unchanged as demonstrated in the illustrative example. This is very important, because
the next numbering in the BN will remain unchanged hence keeping a constant correspondent
in order to update information on the BN as data becomes more available.
The next section presents a simple conversion approach and the use of causal reasoning in the
BN for risk modelling in dry dock gate failure, where the re-numbering system is seen with
the term “E89”. The next section presents an illustrative example of converting fault tree to
Bayesian network and presents results under causal reasoning.
122
4.6 Illustrative Example
4.6.1 Dry dock gate failure analysis
In this illustrative study, FTA of a dry dock gate failure is constructed from the failure mode
effect cause analysis (FMECA) of the original model established by Crougnieu et al. (2008)
for detailed analysis. A dry dock gate seen under construction is shown in Figure 4.8, which
reflects the size of this critical component in graving dry dock. The observation and functional
lists of subcomponents of dry dock gate failure (DDGF) are seen in Figure 4.9. In risk analysis,
a better understanding is given to designers and construction engineers regarding which
subcomponents require more attention. Using FMECA methodology, the whole dock gate is
assessed. This approach begins with a functional study of the system (integrating all its
structural components and equipment), and covers a thorough identification and quantification
of the potential failure modes. This process is called ‘hazard identification’, a first step of a
formal safety assessment (FSA). The block diagram of DDGF highlighted in Figure 4.9
includes environment, solicitation, geometry or material. From the observation list, a total of
86 different potential failure modes taking into account all components and all expected
functions were identified.
Figure 4.8: Dry dock gate construction Figure 4.9: Functional analysis of gate failure
These are then quantified to find the critical ones. The most critical risks identified are (Bartllet
et al., 2009): (a) collapse of the dock gate caused by a resistance loss of passive re-
enforcement, located in the wall on the dry dock side, and due to corrosion (mostly chloride
attack); (b) collapse of the walkway caused by resistance loss of the main beams due to
corrosion (chloride attack and carbonation); (c) dysfunctional bearings due to degrading
properties. Constructing a fault tree from these observations, three failures: wall failure (F3),
walkway failure (F2) and dysfunctional bearings (F1) are considered as sub-top events. Sub-
event dysfunctional bearings can be caused by overheating (Q1) and lubrication failure (Q2).
123
The causes of overheating are spalling (normal fatigue failure) (E1) and resistance loss in
hardness (E2). The causes of lubrication failure are restricted oil flow (E3) and degradation of
lubricant properties (E4). This deductive process is carried out in a top down fashion for wall
collapse and walkway, and a total of 13 basic events, ‘E6-13’ in Table 4.1, is presented. The
corresponding Bayesian network is mapped from the fault tree constructed by using the
conversion algorithm in section 4.5. A typical example of the conditional probability of node
“Q” is presented in Table 4.2. Figure 4.10 and Figure 4.11 represent FT and BN respectively.
Table 4.1: The variable distribution and nodes of the DDGF network
Table 4.2: Conditional probability table for Q1, E1 and E2
E1 E2
F 30 f 30
W 70 w 70
Q1
E1
f
F
E2 f w f w
F 85 80 80 10
W 15 20 20 90
Node description
Value %
Level of
working
condition
Description of nodes that can lead to
the failure of the gate
Prior Posterior
E1 Normal fatigue failure 27.00 28.23
E2 Resistance loss in hardness 27.00 27.38
E3 Restricted oil flow 27.00 27.45
E4 Degradation of lubricant property 27.00 27.45
E5 Wind load 54.00 55.15
E6 Hydrostatic load 27.00 27.61
E7 Carbonation attack of walk way 27.00 27.68
E8 89 Chloride ion attacks on walkway 54.00 56.00
E9 89 Chloride attack on walls 54.00 56.00
E10 10 Aggregated reactivity on walls 27.00 27.72
E11 11 Gradual formation of internal cracks
on walls
27.00 27.61
E12 12 Efflorescence effects on wall 54.00 53.97
E13 13 Thermal effects 54.00 55.22
Q1 Overheating 43.50 44.42
Q2 Lubricant failure 43.50 44.13
Q3 Resistance loss of wall way main
beam
57.22 59.38
Q4 Walkway corrosion 57.22 59.69
Q5 Wall corrosion 59.14 59.80
Q6 Resistance loss of passive re-
enforcement of walls
54.00 61.25
F1 Dysfunctional bearing 22.14 24.02
F2 Walkway failure 72.00 76.54
F3 Wall failure 73.88 78.51
R Dock gate failure 85.45 100
124
4.6.2 Probability of failure under no evidence
Assuming that the prior probabilities of all these events occurring are less than 23% and 54%
when the dry dock gate operates at ground position, this means there is no fault produced by
the level of working conditions. The happening probabilities of faults are listed in Table 4.1
under the condition of no evidence. The conditional probability table is constructed and figures
entered into the Hugin software. An example of the conditional probability of node ‘Q1’ is
seen in Table 4.2. All probabilities of the faults are lower than 55%. The occurrence
probability of system fault P (R) is 85.5%, which means the ‘gate’ operates normally and no
fault occurs. The results are the same as engineering experience.
Figure 4.10: Fault tree of DDGF
Figure 4.11: Bayesian conversion mapping diagram of DDGF
4.6.3 Probability of failure under given evidence
The reasoning and diagnostic ability of the DDGF network is checked under given evidence.
Suppose that the system has a fault occur corresponding to ‘P(R) = 100%’, the new posterior
probabilities results of working conditions are listed in the furthest column of Table 4.2. The
posterior probability of E89 is 56.07%, which is the largest among those components’ failure
probability under the condition of system failure. Therefore, in conclusion, E89 is the weakest
part in the DDG system and needs to be strengthened in order to enhance the overall system
reliability. The list from the second greatest to seventh is as follows: E13, E5, E12, E1, and
E7, with values 55.22%, 55.15%, 53.97%, 28.23% and 27.68% respectively.
125
4.6.4 Probability calculation under causal reasoning
For causal reasoning, system failure probability is different in each component failure. In
Table 4.1, we see that different components have different reliabilities in the DDG system and
have their corresponding effects on the whole system reliability. Therefore, by the Bayesian
network model, we can find the weak links of the system in order to provide the basis to
improve the reliability of the whole system, by means of strengthening the reliability of the
weak components in its design and constructing a process starting from the order E89, E13,
E5, E12, E1 and E7. To demonstrate the reliability if E89 fails 100% then failure probability
of top event DDGF is 89% and if E13 fails 100% then top event probability is 87.38%, as
highlighted in Figure 4.12.
Figure 4.12: DDFE top event 85% when event E12 fails 100%
4.6.5 Recommendations
Recommendations based on the analytic results and experience of the three main ways to
prevent failure of dry dock gates, when in a ground position and during the closing and opening
operation are presented. To help prevent future failures and manage resources for construction
and maintenance effectively, these critical failures can help build a maintenance pattern with
financial estimation beginning with reinforcing corrosion attacks on walkways and walls
(E89) during the construction phase of the project in Figure 4.11 as top priority (such as
passive re-inforcement corrosion, pre-stressing cable corrosion and anti-carbonation and
chloride prevention attacks). The next recommendation, as indicated from the analysis results,
is to channel resources into improvement of inspections of all submerged areas and underwater
inspections to identify effects of salt deposits on structures (E12). In the construction phase, it
is better to consider these parameters and improve on pre-stressing conditions of walls. Again,
focus should continue in ranking order E5, E12, E1 and E7 as obtained from analysis. These
strategic decisions are based on concrete, objective and traceable detailed analysis as
illustrated in this study. However, the limitations of this simple example are when dealing with
a large model, and how to construct its corresponding CPTs.
126
4.6.6 Fault Tree-Bayesian Network framework
The construction of BN could be quite complicated and its network structure is problem
specific. It is more advantageous to construct BN hierarchy following the concept of FTA and
then transforming basic FT to BN framework. Finally, lateral links among BN nodes and
conditional probability table (CPT) were introduced to incorporate expert’s experiences. The
two major steps for the proposed methodology are: (1) structure transformation from FT to
BN; and (2) CPT determination.
4.6.6.1 Structure Transformation from FT to BN
Top event, intermediate events, and basic events are directly mapped into the nodes in BN.
The arrows among BN nodes follow the definition of event relationships in FT. Furthermore,
some meaningful auxiliary arrows can be inserted into fundamental BN based upon the
experts. In summary, the transformation process of BN structure from FT is presented in
Figure 4.13.
Figure 4.13: Flow Chart for FT-BN transformation
4.6.6.2 CPT Determination
In a BN framework, if the node has several parent nodes, or if each parent node and child node
has several states, the CPT structure will become complicated. In addition, the values of CPT
are generally defined by experts based on their experience, the probability values could be
inconsistent especially under the condition of complicated CPT stated above. In this study the
software, AgenaRisk, was used to eliminate the above mentioned difficulites (Agena, 2012).
Through parameters defined in the software, coupled with weighting factors filled by experts
among nodes, one can calculate probability values of the CPT rapidly.
Data Collection
Select Top Event
Select Base Event
Decide Logic Relationship
Construct FT Framework
Transform into BN
Add Lateral Linkage
Construct CPT
Compute Probability Event
Event Symbol
Transformation
Input Expert
Opinion
Logic Gate
Transformation
127
4.7 Problems of Constructing a Large Bayesian Network in Risk Analysis
A typical task for the reliability analyst is to give input to a decision problem. An example in
this study is to examine the effect that environmental conditions have on a dry dock gate’s
time to failure, and give this as input to a maintenance optimisation problem (Langseth and
Portinale, 2007). The problem also includes the uncertainties or the random fluctuations of
other quantities included in a dry dock gate failure model.
The model must be mathematically sound, and at the same time easy for the decision maker
to understand. Furthermore, such models require a set of parameters to be fully specified, and
either statistical data or expert judgement must be used to estimate them. Finally, the model
must be represented such that the interested quantities can be calculated efficiently (Barlow,
1988). To overcome the challenges of representation, the FT-BN method is used and to
overcome the challenges of better quantification, a method of ranking subjective nodes from
experts’ elicitation using WieghtedMin truncated normal distribution (TNormal) is adopted in
BN to easily calculate and represent the priori probabilities and NPTs of corresponding nodes.
All these requirements have led to reduced focus on traditional frameworks like fault trees
(FTs), and more flexible modelling frameworks such as Bayesian network (BN) models have
gained popularity over the last decades (Langseth and Portinale, 2007). Nonetheless, there
exist some challenges in building large-scale BN models when dealing with discrete variables.
In discrete variables the conditional probability distributions (CPDs) can be presented as node
probability tables (NPTs), which list the probability that the child node takes on each of its
different values for each combination of values of its parents. Since a BN encodes all relevant
qualitative and quantitative information contained in a full probability model, it is an excellent
tool for many types of probabilistic inferences, where it is required to compute the posterior
probability distribution of some variables of interest (Neil and Cabaliero, 2007).
In the applications of BN involving building extremely large-scale BN models, there are
difficulties encountered in developing NPTs such as relying on purely “handcrafted”
approaches, in which each variable and each NPT needs to be elicited exhaustively with
domain experts (Neil and Cabaliero, 2007). The previous section in this study was to overcome
the challenges of mapping fault tree to Bayesian network and presenting its advantage. Then
causal reasoning was used in an illustrative case study with limited nodes to validate this
approach. In large BNs however the main challenge is to produce prior probabilities and
appropriate NPTs for each node that make the most of limited expert elicitation and limited
128
statistical data. A new risk assessment model is built up on the basis of BNs shown in Figure
4.14, with some special merits in the context of risk assessment. A typical sequential process
of a BN model contains six major stages from problem definition to validation of BN. After
problem definition, the problem description fragments provided are matched by the expert
against idioms. In this process the problem fragments are made concrete as idiom
instantiations, which are then integrated into objects. The next step is to elicit and refine the
NPTs for each of the nodes in each object. The objects are then integrated to form the complete
BN and inferences made and tests run for validation purposes. Ideally, real test data/expert
opinions not used in deriving the BN model (Neil and Fenton, 2012).
At each stage a verification step takes place to determine whether the output of the stage is
consistent with the requirements of the previous stage and the original problem. Failure to pass
a verification step results in the innovation of a feedback step that can return the process to
any previous stage. For example, it might become obvious to the expert when building the
NPT that the BN object may not be quite right. In such a case the idiom instantiations may be
redefined. For verification and validation a number of tests are performed to determine
whether the BN is a faithful model of the expertise and whether the expert’s opinions match
real data (Neil and Fenton, 2012).
Figure 4.14: Typical BN risk assessment
Problem definition and
decomposition
Matching problem
fragments against
idioms
Integrate idioms into
objects
Expert requirements,
real-world problem
Problem fragments
Idiom instantiations
Build node probability
table (NPTs)
Integrate objects into
executable BN
Validate BN
BN and inferences
Objects with NPTs
Working,
Valid BN
External,
real-world data
Object topology
Idioms
Verification
Ver
ific
atio
n
129
4.7.1 Idioms
An idiom is defined by Webster’s dictionary as ‘The syntactical or structural form peculiar to
any language; the language or cast of a language.’ The term idiom is used to refer to specific
BN fragments that represent very generic types of uncertainty reasoning. For idioms the
interest is only on the graphical structure and not in any underlying probabilities. For this
reason an idiom is not a BN as such but simply the graphical part of one. Four types of idioms
have been used to speed up the BN development process: cause consequence idiom,
measurement idiom and definitional/synthesis idiom and the induction idiom (which models
the uncertainty related to inductive reasoning based on populations of similar or exchangeable
members). Idioms act as a library of patterns for the BN development process. Experts simply
compare the current problem, as described, with the idioms for dry dock gate failure. By re-
using the idioms an advantage is gained of being able to identify objects that should be more
cohesive and self-contained than objects that have been created without any underlying
method (Neil and Fenton, 2012). Only the induction idiom (fault tree) is used to make some
useful predictions in dry dock gate failure over using an observed population (study) taking
account of differences in context. The key difference here is learning an unknown or partially
known parameter of dry dock gate failure from some known data (expert elicitation).
4.7.2 Challenges of constructing a conditional probability table (CPT)
Consider a typical BN structure (Figure 4.15) characterised by the fact that node values are
typically measurable only on a subjective scale like (lowest, very low, low, medium, high,
very high, highest) and only extremely limited statistical data (if any) is available to inform
the probabilistic relationship of U, given V1 and V2. However, there is significant expert
subjective judgement that can be used.
Figure 4.15: Typical qualitative BN fragment of a graving dock gate
Assuming that each of the nodes has seven states (in the many commercial studies experts are
rarely satisfied with three), the NPT for node U has (7 x 7 x 7) 125 states. This is not an
impossible number to elicit exhaustively, but some inconsistencies arise when experts attempt
V1: Rollers
failure
V1: Bearing
failure
U: Towing
failure
130
to do so, and if the node U has additional parents, then elicitation becomes infeasible and
exhaustive especially as real-world models involve dozens of fragments (Fenton et al., 2007).
Hence the problem and challenge is to produce an appropriate NPT for the node U that makes
the most of limited expert elicitation. This problem is certainly not new, since it has been
addressed in Wellman (1990), Druzdzel and Gaag (1995) and Takikawa and D’Ambrosio
(1999), and there have been serious studies on specific elicitation techniques (Maybeck, 1979;
Laskey and Mahoney, 1998; and Gaag et al., 2002). Also, the Noisy-OR (Huang and Henrion,
1996) and Noisy MAX (Diez, 1993) methods are well established as a standard way of
encoding expertise in large NPTs. Noisy-OR has the disadvantage that it applies only to
Boolean nodes and implicitly ignores the interaction effects between variables. Noisy-MAX,
despite the fact that it applies to ranked nodes with many states, does not model a certain range
of relationships (Fenton et al., 2007).
There is a large body of literature covering the psychological biases encountered during
elicitation and use of probability values. Such biases often arise through an inappropriate or
misleading question choice and depend on how the problem and question are framed. In BN
literature, there are few relevant papers that describe experimental results gained from
applying different probability elicitation. One paper by Zagorecki and Druzdel (2004) found
that human experts produce better results when Noisy-OR parameters were elicited rather than
complete NPTs. Also, Renooij (2000) gives a very good overview of a number of different
methods that can be used for elicitation, including probability wheels and the verbal-numeric
response scale. The role of elicitation in the whole model-building process and the inherent
challenge encountered is not considered in this study due to size restrictions. So this study
addresses only one type of probabilistic relationship that one might want to build into a BN.
This approach is complementary to the elicitation methods, and for the purpose of quick
comparison, the differences are given as follows (Fenton et al., 2007): ranked nodes are useful
when representing ranked relationships in NPTs involving nodes that are near continuous;
Noisy-OR is useful in cases involving Boolean nodes; the verbal-numerical response scale is
useful for relationships when nodes are labelled.
4.7.3 Ranked nodes approach
Ranked nodes represent discrete variables whose states are expressed on an ordinary scale that
can be mapped onto a bounded numerical scale that is continuous and monotonically ordered.
All ranked nodes are defined and labelled on an underlying unit interval [0, 1]. The crucial
131
thing about ranked nodes is that they can make the BN construction and editing task much
simpler than is otherwise possible. In particular, provided that they appear in the appropriate
combinations described below, the normally complex task of constructing sensible associated
NPTs is drastically simplified.
In some situations experts typically want to complete an NPT by using a ‘simple averaging
scheme’ to compute the maximum or minimum value as a guide to defining the ‘central
tendency’ of the child node based on a set of casual parent node values. In other studies, in
attempting to construct the NPT for node like U, an approach based on sampling values in
expert elicitation assertions is presented as follows: when V1 and V2 are both ‘very high’ the
distribution of U is heavily skewed towards ‘very high’; when V1 is ‘very high’ and V2 is ‘very
low’ the distribution of U is centred above medium (Fenton et al., 2007).
Since each node has an underlying numerical scale in the interval [0, 1], such assertions
suggest intuitively that U is some kind of weighted average function. In fact, experts found it
easier to understand and express relationships in such terms. Many so-called ‘self-assessment’
or ‘scorecard’ systems are based around little more than the weighted averages of attribute
hierarchies. However, such systems are usually implemented in spread sheet-based programs
that have associated with them a number of problems: difficulty in handling missing data,
problems with assessing credibility of information sources, and difficulty in using different
scales (Fenton et al., 2007).
Since all of these problems are readily solved using BNs, the challenge is to provide the
appropriate BN implementation that captures the explicit simplicity of the weighted average
while also preserving the intuitive properties that the resulting distributions have to satisfy.
For example, simply making U the (exact) weighted average of its parents does not work, since
the only uncertainty in the distribution of U, given its parents, will be the result of
discretisation inaccuracy rather than deliberate modelling. What is especially tricky to model
properly are the intuitive beliefs about the causes, given certain child observations, that is, the
so-called “back propagated beliefs”.
For example, suppose we have observed U and V1 and wish to infer the value of V2 as follows:
if U is ‘very high’ and V1 is ‘very low’ then we would be almost certain that V2 is ‘very high’
but not as confident as in the above case. In this light a straightforward solution for defining
the NPT for P(U/V) (where V represents the set of parent variables V1, V2, ……Vn) in such a
132
way that these various properties are all satisfied is provided by the Truncated Normal
distribution, described next (Fenton et al., 2007).
4.7.4 Using doubly truncated normal distribution for modelling ranked nodes
Formally, the ranked nodes’ casual structure is characterised by a joint probability distribution
with a set of causes V containing i = 1, 2, …..n ranked nodes Vi as the parents of U (Fenton et
al., 2007):
P (V, U) = p (U/V) ∏ P(Vi)ni=1 (4.5)
In general, the node V is considered to be a consequence of two or more cause nodes, where
each of the cause nodes is assumed to be independent when calculating the NPT. The BN in
Figure 4.15 is a very simple fragment of a large BN structure of dry dock gate failure. Drawing
an analogy with linear regression, where yi = βx + ∊ , with ∊ approximating a Normal
distribution of mean 0 and variance σY2 (written N(0, σY
2)), and where the contribution to the
variance of Y is σY2. The regression analogy is apt, since we are attempting to “target” the area
of central tendency in U, given different values of Vi and then are adding a fixed amount of
uncertainty around this. The only issue is to resolve the contribution of each cause to the effect,
and a clear way to do this is to use the correlation between the cause and the effect as the
appropriate measure (Fenton et al., 2007). Rather than the Normal distribution commonly
assumed in linear regression for ranked causal nodes, the doubly truncated Normal distribution
(denoted TNormal hereafter) is used as defined by Cozman and Krotkov (1997) where all
nodes are truncated in the [0,1] region.
Unlike the regular Normal distribution (which must be in the range – infinity to + infinity),
the TNormal has finite end points. We denote the TNormal by TNormal (μ, σ2, 0, 1) where μ
is the mean, and σ2 is the variance. The TNormal starts with a regular Normal distribution but
“ignores” the probability mass to the left and right of the finite end points and then normalise
the resulting distribution over the finite range [0, 1]. This enables us to model a variety of
shapes, including a uniform distribution, achieved when the variance σ2 → ∞, and highly
skewed distributions, achieved when σ2 → 0. A ‘simple weighted sum model’ is used to
measure the contribution of each Ui to explain V as a “credibility weight” wi (it can also be
elicited from an expert in this way) expressed as real values wi ≥ 0. The higher the ‘credibility
index’ the greater the correlation between Ui and V. Thus, in this method, the equivalent to the
error variance σ2Y in the linear regression model is simply the inverse of the sum of the weights
(Fenton et al., 2007):
133
σ2Y =
1
∑ wi ni=1
(4.6)
Given that,
V lies within [0, 1], normalising the regression equation E(V) = ∑ ni=1 wiUi by dividing with
∑ ni=1 wi. Thus:
P (V/U) = TNormal ∑ wiXin
i=1
∑ wi ni=1
, 1
∑ wi ni=1
, 0, 1
Suppose, for example, that n = 3 and that the allocation of weights wi for each Vi’s contribution
to explaining U is in the ratio 2:3:5, with variance σY2 = 0.001. The resulting distribution and
BN model are shown in Figure 4.15 and the joint distribution generated will be:
P(U/V) = TNormal 200Vi +300Vi +500Vi
200+300+500 ,
1
200+300+500 , 0, 1
= TNormal 2Vi + 3Vi + 5Vi
10 , 0.001,0,1
It should be noted that the resulting distribution for p (U) will not produce summary statistics
exactly matching the function because the coarse discretisation is used in arriving at results.
Given this, the mean values will tend to differ within the bin range specified. Specifically, for
seven ranks defined on [0-1], the mean value may be out by up to 0.1. Figure 4.16 presents the
Wieghted mean (WMEAN) function for U1. Also, the variance values observed will be
considerably higher because of the coarse discretisation. However, neither of these are major
problems since the aim is to produce a good fit to the experts’ distribution rather than a good
approximation to a TNormal distribution (Fenton et al., 2007). This approach is only designed
to cover unimodal probability distributions
Figure 4.16: WMEAN function for U1, given V1, V2, and V3
134
4.7.5 Modelling ranked nodes using min and max
The weighted average is not the only natural function that could be used as a measure of central
tendency in the ranked caused model. Suppose the BN fragment in Figure 4.16 is revisited. In
this case we elicit the following information:
- When V1 and V2 are both “very high,” the distribution of U is heavily skewed toward “very
high.”
- When V1 and V2 are both “very low,” the distribution of U is heavily skewed towards “very
low.”
- When V1 is heavily skewed toward “very low,” and V2 is “very high,” the distribution of U is
centred towards “very low.”
- When V1 is heavily skewed toward “very high,” and V2 is “very low,” the distribution of U
is centred towards “low.”
A weighted sum for U will not produce an NPT to satisfy these elicited requirements.
Formally, U’s mean is something like the minimum of the parents’alues, but with a small
weighting in favour of V1. The necessary function, which we call the weighted min function
(WMIN), has the following general form:
WMIN = min𝑖 = 1…..𝑛
wiXi + ∑ Xj n
i≠j
wi + (n-1) (4.7)
where wi ≥ 0 and n is the number of parent nodes, with a suitable variance σ2Y that quantifies
our uncertainty about the result, thus giving P (U/V) = TNormal [WMIN (V), σ2, 0, 1]. The
WMIN function can be viewed as a generalised version of the normal MIN function. In fact, if
all of the weights wi are large, then WMIN is close to MIN. At the other extreme, if all the
weight wi = 1, then WMIN is simply the average of the Xi’s. Mixing the magnitude of the
weights gives a result between a MIN and an AVERAGE. In the above example, taking w1 = 3
and w2 = 1 (with a variance σ2Y = 0.01) yields the results as shown in Figure 4.20. The
analogous WMAX function can also be used:
WMAX = max∀i=1…n
. wiXi + ∑ Xj n
i≠j
wi + (n-1) where wi > 0 (4.8)
Finally, the function MIXMINMAX, which is a mixture of the classic MIN and MAZ functions:
MIXMINMAX= wminMIN(V) + wmaxMax(V)
wmin+ wmax
where wmin and wmax > 0 (4.9)
135
In each case, the experts need to only supply the parameters to generate the NPT. This set of
functions has been sufficient to generate almost the entire ranked node NPTs elicited in
practice. The efficiency savings are considerable: if there are m ranked cause nodes, each with
n states, then the experts need to only supply (m + 1)n values for full elicitation. It should be
noted that ranked nodes can be further partitioned by declaring additional labelled, Boolean
or numeric parents that can be used to condition the type of weighted expression that one might
wish on the child node. Figure 4.17 presents the WMIN function for U1.
Figure 4.17: WMIN function for U1
4.7.6 Creating ranked nodes using AgenaRisk software
The AgenaRisk software comes with an easy to use graphical user interface (GUI) and
provides applicable programmer’s interface (API). It can be used as a robust BN programming
environment for modelling and interference (Fenton et al., 2007). While AgenaRisk software
makes it easy to key the input and read the output of the network by providing a graphical
representation of the properties of each node as a bar graph, there is usually a general strategy
of using AgenaRisk with TNormal applications to rank nodes. A weight declaration in
AgenaRisk is presented in Figure 4.18.
Figure 4.18: Declaring a rank weight expression for a node in AgenaRisk
136
For the purpose of building realistic NPTs that adequately capture expert judgement, the
existence of a good theoretical approach is insufficient. Good tool support is also needed, and
successful use of ranked nodes must be supported by a reliable tool that (Fenton et al., 2007):
(1) enables domain experts without any statistical knowledge to quickly and easily generate
distributions and; (2) provides instant visual feedback to check that the NPT is working as
expected. The AgenaRisk software satisfies these requirements. Constructing the necessary
NPT requires experts only to go through the following simple steps in AgenaRisk (supported
by the dialogue shown in Figure 4.17):
1. Select the NPT property for a given node and declare that the NPT is defined by an
expression. The TNormal distribution is automatically selected.
2. Either type in the full weighted expression or access the Dialog by a simple right mouse
click, as shown in Figure 4.17.
3. Complete the appropriate weights via the dialog presented by selecting the parent nodes
by using a slider bar to define the weight’s values and the certainty.
4.8 Risk Analysis of a Large Dry Dock Gate failure Model (Case Study)
The proposed methodology is a combination of different techniques already used. Proposals
of different authors and several techniques are combined to compose the methodology, which
resulted in the formation of the four-step process: familiarisation, qualitative and quantitative
analysis (inteference), complementary analysis and verification. Table 4.3 presents an
overview of the methodology steps.
Table 4.3: BN comprehensive framework
Step 1
Familiarisation
Step 2
Qualitative analysis
Step 3
Quantitative analysis
Step 4
Complementary analysis
Understanding the
system. Identify possible
scenes that the system
will be submitted to
Represent the system
Physically and
Functionally,
Represent the
Relationship
between
System elements
Completing the
Construction with
Quantitative data
Probabilities (CPT)
Estimating the
Probability of system
Failure and reliability
Analysing the criticality
Analysing different
Scenarios
Analysing the
Conditional reliability
Tasks
Data reviews:
Interview with experts
Functional tree:
Fault tree
Bayesian network
Bayesian network
(Inference)
Bayesian network
(Posterior probability)
Means
137
Table 4.4 is divided into two parts, the first in which all the tasks to be performed at each step
are listed and the second which lists the means suggested for these tasks. In the first step,
familiarisation, all the information available about the sliding dry dock gate failure must be
collected. The second step, qualitative analysis, is the step at which the relationship among the
system and components is identified from the induction idiom to build the appropriate fault
tree. In the quantitative analysis, the priori probabilities of the root nodes and the conditional
probabilities tables for non-root nodes are defined allowing the evaluation of the joint
probability of a set of variables. Finally, a complementary analysis must be performed by
evaluating the posterior probabilities, criticality analysis, the analysis of different scenarios of
interest and the conditional reliability analysis. These analyses allow improving the reliability
analysis through an evaluation that is not possible through traditional tools. The criticality
analysis means to find the set of components or subsystems that have greater influence in the
system behaviour; the analysis of different scenarios can be used to model any situation of
interest, such as the impact of including redundancies, the impact of a component fault or any
other conditions that affects the system reliability; and the conditional reliability analysis
provides information about the system’s behaviour over time
4.8.1 Application to sliding dry dock gate at Birkenhead, UK
In this section, the reliability analysis of a ‘sliding dry dock gate failure’ is performed by using
the methodology presented. First, information collected about the system is presented. Then,
the qualitative analysis is performed. Subsequently, a quantitative analysis will be conducted,
in which the limitations of using failure probability density and the system reliability are
estimated for a given mission time of the system are overcome by using readily available
subjective data from expert judgement. The AgenaRisk (Desktop Agena Risk, 2011) was used
to build the BN and to make the inferences about the system. Finally, the complementary
analysis is presented to validate the results as appropriate.
4.8.2 Familiarisation- sliding dry dock gate failure at Birkenhead, UK
Usually the dry dock gates are used for opening and closing the graving dock for docking a
vessel for repair purposes. The ageing structure of these gates increases the hazards due to an
unforeseen operation scenario. Accident in this process may lead to uncontrolled flooding of
the dock causing very severe consequences. In the dry dock gate studied, a ‘sliding gate’ must
be subject to detailed complex static calculations in order to check the structural elements and
interactions of various elements during design to ensure proper gate installation. The tightness
138
of a sliding gate in Birkenhead Shipyard depends on individual elements presented, yet is not
limited to those highlighted in Figure 4.19 for this study. It must be noted that some of these
components operate in the same environment while others have the same causes and effects
on the system. A detailed description is discussed in section 4.3.1. The Birkenhead sliding dry
dock gate operates to fulfil the following objectives: (a) great tightness for all loading causes;
(b) short opening and closing times; (c) easy servicing and maintenance; (d) mechanical
reliability; (e) monitoring of the gate position during opening and closing; (f) minimum
operation and maintenance costs in a minimum life span of twenty (20) years. The induction
idiom (fault tree diagnostic idiom) is used in this study, because none of the reasoning in the
induction idiom is explicitly causal. Specifically, the idiom has two components (Fenton and
Neil, 2012): (1) it models Bayesian updating to infer the parameters of the study where the
entities are assumed to be exchangeable; (2) it allows the experts to adjust the estimates
produced if the entity under consideration is expected to differ from a real-life situation. The
aim of this functional list is to provide guidance in the development of various events that can
lead to a sliding dry dock failure. Understanding the risk model can lead to effective risk
control measure hence improving mechanical reliability, maintenance and operation cost,
easing servicing, and monitoring gate tightness for all possible loading cases.
Figure 4.19: Functional list for sliding dry dock gate failure mode
Outside the dry dock gate system, the top deck contains the driving winch, control panel, tank
gauges, and ladders. The control system in the dry dock might fail, leading to breakdown time.
Likewise, there could be a failure of the driving winch, and tank gauges. Failure of tidal flaps
can be caused by failure of wires or flap valves. This can lead to increased buoyancy in the
upper chamber. In the air chamber, are the rollers, which can fail due to lack of proper
maintenance. The tanks’ failures include: trimming tanks might leak leading to improper even
dock trimming, the two scuttle tanks might leak leading to the gate not being able to seat in
Towing system
Bearing operation
Stability system
Structural element
Water pressure load
Tightness of dock sealing
Control panel system
Tank system
Gate functional list
139
position when normally full. When it is desired that these two tanks are empty the water in the
scuttle tanks can be blown out by air pressure. If not well flooded, these tanks can reduce dock
gate stability leading to increased movement of the dock due to wave action. Also, pumps
might fail, and there could be a blockage in the delivery pipes of the system. This system must
have sufficient strength during operation to avoid unexpected water pressure outside or a
failure of any individual component which could result in possible rupture of the structure.
The next step is to develop a fault tree to represent a typical sliding dry dock gate failure
model.
FTA involves quantifying risk from knowledge of how risk events (faults or failures) in the
dry dock systems propagate to cause accidents or hazards. The idea is that the functional
specification of the sliding graving dock gate can be decomposed into intermediate
components/functions that, should they fail, whether individually or together, would lead to
the hazard occurring. Fault trees are therefore composed from events with relationships that
connect the events together, reflecting what we know about how faults are likely to interact
and propagate. In classic FT diagrammatic notation, special shapes are adopted to visually
indicate the type of Boolean logic to express the model. The scenarios are those combinations
of primary events expressed in ‘AND’ or ‘OR’ logic gates as comparative statements involving
Boolean logical test. Because BN tools like AgenaRisk or Hugin implement expressions for
the Boolean operators, it is simple to perform FTA analysis using a BN.
In the gate failure functional list, there are eight (8) immediate causes (U) that can lead to its
failure. These are: towing system failure (U1), bearing failures (U2), stability issues (U3),
structural element failure (U4), loads from water pressure (U5), tightness of dock sealing joints
(U6), control panel failure (U7), and tank issues (U8). The primary events that can lead to
immediate towing system failure are: rolling rails (V1), rollers (V2) and system failure (V3);
the bearings failures (U2) include air chamber inaccessibility (V4) and roller failure (V5);
causes of stability issues (U3) include flap valves failure (V6), ballast tanks (V7) and wires
(V8). The causes of structural element failures (U4) are: floor failures (V9), walls failure (10),
handrails failure (V11), and ladder failure (V11). The causes of increased load from water
pressure (U5) are: increased sea state (V13), high tide (V14), and hurricane (V15). The causes
of improper dock tightness (U6) are: failure of rubber L-shape (V16), increased sea state
(V17), and hurricane (V18). The causes of control panel failure (U7) are: level water (V19),
control system (V20), and undetectability (V21). The causes of tank failures are: trimming
tanks (22) scuttle tanks (23) and scrum tank (24). Multiple experts (Appendix 4) are consulted
140
in this study. Only one scenario is modelled for five experts. Firstly, single expert opinions are
provided for each base event or parent events (V1-24) and five different
independent/dependent experts are used. It is ascertained that the results are better than when
multiple experts are asked to judge the risk of parents occurring. If we have a strong reason to
believe experts are not independent of each other, e.g. they may have attended the same
university, or work for the same organisation, then they become dependent. Five dependent
experts provide subjective judgements on the risk of base events on the sliding gate failure
model (V1-V24), using ranking nodes on seven scale nodes. The five experts are denoted in
the study as E1, E2, E3, E4, and E5 (dependent on each other), i.e. they are all working as
operators in the sliding graving shipyard industry with sliding dock gates. The weights of
experts E1, E2, E3, E4, and E5 on the scale of 1 to 5 are 5, 3, 3, 2 and 1 respectively.
The seven linguistic language rank nodes used in this study are: lowest (LT), very low (VL),
low (L), medium (M), high (H), very high (VH) and highest (HT), where each expert gives
his opinion on how parent V affects child U for this study. The underlying numerical
equivalent mapping of a 7-point rank scale is provided in the Bayesian interference engine of
software (AgenaRisk). It is usually not required to construct mappings in BN, because for
every respective linguistic description of the sates there is an underlying model working with
a numerical scale. In this light, every underlying numerical scale can be expressed in a
numerical statistical distribution. In practice it is often necessary to rely on subjective
probabilities provided by expert judgements as a rational expression of an individual’s degree
of belief in relation to the failure of a sliding dry dock gate working under certain conditions.
4.8.3 Converting fault tree to Bayesian network
There are a number of specific compelling reasons for performing FTA in terms of BNs rather
than using the classic FT approach (Fenton and Neil, 2012): (1) calculations in discrete BNs
are exact, whereas classic fault trees provide only an approximate method, called ‘cut sets’, to
calculate the probability of occurrence of the top event. This involves algebraically expanding
the Boolean event space of the model, inevitably leading to a combinatorial expansion leading
to inaccuracy; (2) unlike classic FTs a BN can be executed to diagnostic as well as predictive
mode. Therefore, given evidence of failure at the top or intermediate events, we can diagnose
which of the primary, or other, events is the most likely cause of this failure. This is useful in
fault finding and accident investigations in dry docking system; (3) classic FTA assumes a
Boolean specification for the states of all variables but in BN we need not, resulting in a richer,
141
more realistic model; (4) classic FTA assumes that the primary events are independent. This
is seldom the case, especially in the presence of common causes of failures and also where
components suffer from shared design faults. Using the conversion algorithm, the fault tree is
mapped to its corresponding BN, as presented in Figure 4.20.
4.8.4 Qualitative analysis
Qualitative analysis should provide a clear view of the system and the relationships between
system elements; this representation is first produced in this study by building a fault tree and
then converting it into a BN. The idea of directly producing a large BN for system analysis is
usually not advisable. In a dry dock classical risk assessment problem, the task of the risk
analyst and domain expert is to accept or reject the system. One of the key acceptance criteria
is the safety of the dry dock. This might, for example, be measured in terms of the predicted
number of safety-related failures in a 10- or 20-year life span. The FT-BN model provides a
better framework to ask appropriate questions, make decisions and justify them.
The challenges of coming up with quantified figures in a BN has led to combining evidence
of very different types in the past. The evidence might range from subjective judgements about
the quality of the supplier and component complexity, through to more objective data like
number of defects discovered in independent testing. In some situations there might be
extensive historical data on previous similar components, whereas in other cases there might
not be any. In this study, the trust in the accuracy of any test data will depend on the trust in
the providence of the testers. Having little or no test data at all will not absolve the
responsibility for making a decision and having to justify it.
A decision based only on gut feel will generally be unacceptable and, in any case, disastrous
in the event of subsequent safety incidents with all the legal ramifications. The aim to build a
scientific model, so open, factual, and honest for discussing risks and our beliefs (i.e. theories)
about how they interrelate, and what the probabilities are, is of the utmost importance. The
risk analyst (the modeller) and the elicitee (the sliding dry dock gates’ subject matter expert)
must have an understanding of each other’s professionalism, skills and objectives.
The goal is to understand sliding gate operation (design, construction, installation and
operation) sufficiently to probe and challenge discussion in order to allow experts to sharpen
and refine thinking; this in turn leads to more accurate probabilities. The use of a BN structure
in this study is because it supplies some or all of this, thus making this easier than when asking
for probabilities alone
142
(CCF)
Figure 4.20: FT-BN sliding dry dock gate failure mode
U8
V22
V24
V23
U7
V19
V21
V20
U6
V16
V18
V17
U5
V13
V15
V14
U4
V9
V12
V11
U3
V6
V8
V7
U2
V4
V5
V10
U1
V1
V3
V2
GF
V1
V2
V3
U1
V4
V5
V6
V7
V8
V9
V10
V11
V12
U2
U3
U4
V13
V14
V15
V16
V17
V18
U5
U6
V19
V20
V21
U7
U8
V22
V23
V24
GF
143
Determining whether any two nodes in BN are dependent is well taken care of in the FT-BN.
In the three types of connection (serial, divergent, and convergent) in a typical BN structure,
defining the conditions under which pair nodes dependent (formally this was a notion of d-
connected) is required. The dry dock gate system has local dependences between walls and
floors. Walls and floors change if there is increased load on the system. Load increase leads
to increase of walls failure probability. This variable has conditional dependence that is not
possible to address with traditional FT. To include this dependence in the BN model, an arc
was built between the nodes. With this approach, it is possible to model how the malfunction
of any equipment affects the other equipment. Although it is not required in determining such
general dependencies in any practical model building, this notion is important to understand
the detailed BN algorithm.
Finally, to complete the qualitative analysis, the common cause failure (CCF) must be
included. This dry dock gate system has a redundant subsystem in which a CCF may occur; a
parallel system provides failure to sealing system and guiding post. The CCFs are important
contributors to system unreliability and typically exist among redundant units. CCF in this dry
dock gate system directly affects the reliability of the whole system. In the BN, one node is
included for each group of redundant components to verify the CCF effects; each node is a
representation of the CCF associated with groups of similar component: CCF1 (bearing),
CCF2 and CCF3.
4.8.5 Modelling using AgenaRisk
Building a BN to solve a risk assessment problem involves the following steps: (1) identify
the set of variables that are relevant for the problem; (2) in AgenaRisk create a node
corresponding to each of the variables identified in the fault tree, hence mapping fault tree to
BN; (3) identify the set of states for each variable. Again this depends on your perspective and
issues related to complexity; (4) in AgenaRisk specify the states for each node; (4) identify the
variables that require direct links. This must have been taken care of by the fault tree diagram;
(5) for each node in the BN specify the NPT. (This is usually the hardest part of the modelling
process and that is why much effort is devoted to providing guidelines and help for this part.)
In this study all variables involved have a finite discrete set of states then the NPT requires us
to specify the probability of each state of the node given each combination of states of the
parent’s nodes. Executing a model in AgenaRisk, click on the appropriate toolbar button. This
will result in all the marginal probability values being calculated; the point of interest is
entering observations and recalculating the model to see the updated probability values.
144
Entering an observation (also called evidence) for a variable means specifying a particular
state value for that variable, called hard evidence, in contrast to an uncertain evidence. Once
any type of evidence is entered the model needs to be recalculated so that you can see the
revised probability values.
Dealing with inconsistent evidence, it is important to understand that sometimes evidence
entered in a BN will be impossible. Sometimes, too, when attempting to run the model with
certain observations a message comes on screen indicating inconsistent evidence. What
happens is that the underlying inference algorithm first takes one of the observations and
recomputes the other node probability values using Bayesian propagation. One of the most
common confusions when using BNs in practice occurs when entering evidence in large
complex BNs. It is often the case that entering particular combinations of evidence will have
extensive ripple effects on nodes throughout the model. In some cases this will result in certain
states of certain nodes having zero probability; in other words they are now impossible. These
nodes might be directly connected to the nodes where evidence was entered. If, in these
circumstances, the user subsequently enters evidence that one of the impossible states is ‘true’
the model, when computed, will produce an inconsistent evidence message that may surprise
the user (who may wrongly assume that the algorithm has failed). In such circumstances the
user also has the tricky task of identifying which particular observation caused the inconsistent
evidence.
4.8.6 Quantitative analysis
Quantitative analysis begins with the inclusion in the BN of the priori probabilities of root
nodes; these probabilities can be provided by statistical data or be estimated by experts. Next,
the relationships between nodes must be specified. And finally the joint probability of the
network is obtained, which, in this case will serve to obtain the system reliability for a given
mission time or using a ranked node as in the case of this study. The root nodes that represent
the basic components are completed by probability density functions representing the time to
failure (TTF) of the basic components. The relationships between components are presented
by basic constructs such as AND and OR gates, used in fault trees. The AND gate, where the
output will fail when all input components fail, has a probability of failure of its output in the
time interval [0, t], given by: P (ℓAND ≤ t) = P (ℓ1≤ t,... ℓn ≤ t) = P (max ℓi ≤ t) where ℓAND:
time to failure of AND gate, ℓ1 time to failure of component i. The OR gate, where the output
will fail if at least one input component fails, has a probability of failure of its output, in the
145
time interval [0, t], given by: P (ℓOR ≤ t) =1- P (ℓ1≤ t,... ℓn ≤ t) = P (max ℓi ≤ t), where ℓOR:
time to failure of OR gate, ℓ1 time to failure of component i. Although the BN is able to deal
with any kind of prior distribution, some studies consider the components to have constant
failure rates (λ) which means that the time-to failure distributions were assumed to be
exponential. Thus, the probability of a component to fail at time T within a given mission time
t is calculated as P (T<t) = 1-e- λt, except for insulation. Statistical data about the probability
of the towing failures were not found along this investigation, but these distributions may be
estimated by expert judgement. BN builders ask relevant questions to a group of specialists
and explain the assumptions that are encoded in the model, and the domain experts supply
their knowledge to the BN builder demonstrated in this process. Understanding the limitation
of a normal distribution, and overcoming the limitation of Boolean gate expressions for a large
BN, one especially useful distribution to express expert numerical statistical distribution is the
truncated Normal (or TNormal). It is convenient to generate both prior probabilities of nodes
with parents, and to generate satisfactory NPTs for almost all BN fragments involving ranked
node with ranked parents. Not only are the parents and experts’ nodes ranked, they are also
weighted.
Using the “Weighted Ranked Nodes TNormal distribution” the computation of prior
probability is readily done in large studies, while the weighted parents’ TNormal distributions
are used to generate satisfactory NPTs. Once the BN structure is constructed using AgenaRisk,
the first step is to identify the set of states for each node as ranked nodes for the entire structure.
For each parent node V1, five experts provide a truth table of occurrence of parents, as
presented in Figure 4.21.
Figure 4.21: Expert input evidence for parent node V1
Unlike the regular Normal distribution (which must be in a range –infinity to + infinity) the
TNormal has finite end points. For ranked nodes these points are 0 and 1, respectively. Like
the Normal distribution, the TNormal is characterised by two parameters: the mean and
146
variance. A range of TNormal distributions with different means and variances is shown. The
notation TNormal (a, b) stands for mean and variance respectively. The ranked node functions
in AgenaRisk are generated using TNormal distributions from a sample taken from the parent
nodes so as to generate ‘mixtures’ of TNormal distributions.Generating prior probabilities
using Weighted min function (WMIN) for each parent node, V in AgenaRisk, an example
using node V1 ranked on a scale lowest, very low, low, medium, high, very high, and highest
is specified. Defining the prior probability of node (V1) using AgenaRisk, the five experts
consulted in this study were provided with values as E1-lowest, E2- low, E3-low, E4-lowest,
and E5-low. The next step is to specify their relative weights using the Weighted rank nodes
incorporated in the wizard of experts and uncertainty shown in Figure 4.22.
Figure 4.22: The wizard to insert weight of experts and uncertainty
Suppose we wish to define the prior probability of node (V1), then we need to specify the
individual truth table of each expert and their relative weights using weighted rank nodes.
Instead of specifying the individual node entries for the seven states manually, simply define
the prior probability as an approximate TNormal expression (the mean would be below 0.5 to
ensure skew towards low, if this were the case). The real power of the TNormal distribution
comes when we define the NPTs for V1 with five experts’ judgements ranked in 7-scale
mapping; here the mean is a weightedMean expression of the expert nodes E1, E2, E3, E4,
and E5 (with weights 5, 3, 3, 2 and 1 respetively) and variance of 0.01. Clicking on the
appropriate button, the prior probability of V1 is obtained, seen in Figure 4.21 as 37.884%
lowest, 48.83% very low, 12.66% low, 0% medium, 0% high, 0% very high, 0% highest. The
truth table for all parents’ nodes (V1-V24) provided by five experts is presented in Table 4.4.
Likewise, generating NPTs for the entire system using WMIN domain experts provide the
importance of each parent over its corresponding child node. For example, using the BN model
147
where V1, V2 and V3 are parents to child node U1, the relative weights of V1, V2 and V3 are
suggested to be 3, 4, and 1 respectively.
Table 4.4: The linguistic expression for five experts for each parent V1- V24
The resulting prior probabilities of each parents (V1-V24) and each corresponding weight is
presented in Table 4.5. The example presented for node V1 is highlighted.
Table 4.5: Resulting prior probabilities and suggested weights of V1-V24
W LT VL L M H VH HT
V1 3 37.884 48.83 12.66 0 0 0 0
V2 4 2.447 25.875 50.809 19.393 1.38 0 0
V3 1 44.692 45.78 9.186 0 0 0 0
V4 1 0 6.743 39.22 43.924 9.527 0 0
V5 5 19.147 50.775 27.981 2.844 0 0 0
V6 4 0 0 11.802 46.814 35.596 5.118 0
V7 2 0 0 7.998 41.871 41.696 7.896 0
V8 1 0 9.599 44.007 39.11 6.698 0 0
V9 5 0 0 6.996 39.724 43.561 9.21 0
V10 2 0 0 13.196 47.772 33.696 4.55 0
V11 2 0 3.014 28.269 50.177 17.356 1.115 0
V12 1 0 5.534 36.06 46.014 11.678 0 0
V13 4 0 9.599 44.007 39.11 6.696 0 0
V14 2 0 12.992 47.44 34.037 4.754 0 0
V15 1 0 1.876 25.573 51.048 22.573 1.876 0
V16 5 0 1.142 17.557 50.209 28.049 2.974 0
V17 5 0 1.146 17.603 50.238 27.98 2.956 0
V18 1 0 0 14.803 49.084 31.394 3.819 0
V19 2 44.15 46.003 9.48 0 0 0 0
V20 1 37.877 48.833 12.663 0 0 0 0
V21 1 5.157 35.76 46.818 11.727 0 0 0
V22 1 49.85 42.731 7.194 0 0 0 0
V23 1 44.15 46.003 9.481 0 0 0 0
V24 1 1.188 18.029 50.486 27.431 2.814 0 0
V1 V2 V3 V4 V5 V6 V7 V8 V9 V10 V11 V12
E1 LT L LT M LT H H M H H H L
E2 L M LT M L H H M M H L L
E3 L L LT L M H H L VH L H H
E4 LT M M H M L M M M VH L H
E5 L LT L L L M M L H H H H
V13 V14 V15 V16 V17 V18 V19 V20 V21 V22 V23 V24
E1 M L VH H VH H LT LT M LT LT M
E2 M M L M L M L L L L LT L
E3 L L H L VH M LT L L LT VL M
E4 H M H H L H M L VL L L M
E5 VL M L VH H M LT LT VL LT L LT
148
The NPT of child node U1 (bearing failures) can be likewise defined to be TNormal with
mean and variances. Here, the mean is a weighted mean expression (using AgenaRisk as
distribution can be entered directly as an expression for the node U1 or via the simple wizard
shown in Figure 4.23 and Figure 4.24 since the tool has a built-in WeightedMean expression).
In this study, the prior probability of V1, V2 and V3 is entered manually in a 7-ranked scale
mapping. Also, the relative importance of each V1, V2, and V3 is 3, 4, and 1 respectively, as
seen in Table 4.4, and the corresponding prior probabilities of V1, V2 and V3 as seen in Table
4.4 are: V1 37% lowest, 48.83% very low, 12.66% low, 0% medium, 0% high, 0% very high,
and 0% highest, V2 2.447% lowest, 25.875% very low, 50.809% low, 19.393% medium,
1.38% high, 0% very high, and 0% highest, V3 44.692% lowest, 45.78% very low, 9.186%
low, 0% medium, 0% high, 0% very high, and 0% highest. Entering the evidence for parents
V1-V3 and their relative importance reflected in the weighting scheme used is also evident
when calculating the cause given evidence about the effects. The nodes with higher weights
will be identified as the most likely causes of the consequence. Should the probability of U1
be expressed, it can be obtained from the software as: U1 1% lowest, 55.986% very low,
40.629% low, 12.115% medium, 1.23% high, 0% very high, and 0% highest. The results
of the all the children U1-U8 with respective parents V1-V24 are provided in Table 4.6.
Table 4.6: Effects of parents V1-V24 on children U1-U8
Figure 4.23: BN model for Parent U1-U8 Figure 4.24: System failure (SF) probability
W LT VL L M H VH HT
U1 1 55.986 40.629 12.115 1.23 0 0 0
U2 3 0 4.07 24.586 43.789 23.466 3.736 0
U3 4 17.987 37.808 32.016 10.777 1.357 0 0
U4 2 0 4.011 26.026 45.37 21.589 2.756 0
U5 3 1.782 15.643 40.901 31.914 8.146 0 0
U6 5 0 5.985 27.685 42.026 20.588 3.156 0
U7 1 29.459 46.625 21.09 2.728 0 0 0
U8 5 21.441 46.092 27.622 4.631 0 0 0
149
For diagnostic analysis, the entire BN is reduced to a resultant model with parents U1-U8. In
the AgenaRisk the parent nodes can be regrouped in order of importance and function as
presented “U3-U7”, “U1-U2-U8”, and lastly “U4-U5-U6”. Using the prior probabilities of
parents U1-U8 as calculated in Table 4.5, the resultant failure SF of the system is calculated
as lowest-7.185%, very low-29.941%, low 41.002%, high-2.897%, 0%-very high, 0%-
highest. Diagnostic analysis can therefore be carried out using various scenarios, and the goal
to represent a complex structure to as few variables as possible for traceable results is
presented. Next, when the system failure is highest, the most affected node is U3. Entering
evidence that the dry dock gate at Birkenhead fails (when SF is highest), the diagnostic results
shows that U3 affects the system the most as presented in Figure 4.25.
Figure 4.25: Result when dry dock gate fails
4.8.7 Sensitivity
An extremely useful way to check the validity of an expert built model is to perform sensitivity
analysis, whereby it is possible to see diagrammatically which nodes have the greatest impact
on any selected (target) node, in this case SF, signifying system failure of dry dock.
Considering the model, it would clearly be interesting to know, based on the overall definition,
which nodes have the greatest impact on SF. Setting SF as the target node, the tornado graph
in Figure 4.26 is generated.
Figure 4.26: Tornado graph showing sensitivity analysis
150
In theory, this can be manually done by running through various scenarios of the model setting
different combinations of scenario definition for system failure (SF). Fortunately, AgenaRisk
does this automatically by allowing us to select a target node and any number of other nodes
(called sensitivity analysis).
From a purely visual perspective the length of the bars corresponding to each sensitivity node
in the tornado graph is a measure of the impact of that node on the target node. Thus, the node
U2 has most impact on system failure, followed by the nodes U7, U5, U8, U1, U3, U4, and
U6. The formal interpretation is that the probability of SF given the result of U2 goes from
0.176 (when U is lowest) to 0.01 (when U2 is highest). This range (0.176 to 0.01) is exactly
the bar that is plotted for the tornado graph. The vertical bar on the graph is the marginal
probability for system failure (SF) being ‘highest’ (0.000025).
In validating these results, there are many types of sensitivity analysis, some of which are
extremely complex to describe and implement. AgenaRisk has a sensitivity analysis tool that
provides a range of automated analyses and graphs. In this study, only the simplest type of
sensitivity analysis with discrete nodes, tornado graph, is used, validated by generating the
incremental influence table for U2 and U7.
Table 4.7: U2 vs SF incremental influence Table 4.8: U7 vs SF incremental influence
4.9 Discussions and Conclusion
In this chapter the main challenge encountered when building a BN and attempting to complete
the conditional probability tables (CPTs) in the BN are: that the number of probability values
needed from experts can be unfeasibly large. In this study, a new node types has been
introduced to make clear which types are compatible with what functions and for ranked
151
nodes. The idea of expert elicitation is avoided in this chapter; however the concept of
transforming fault tree to Bayesian network is expanded. Where data is available, the
validation or recalibration of expert predictions is best suited as proposed in this study. The
outcome of this study is the application of effective risk control measures as listed in hierarchy
order: RCO 2- Preventing any buoyancy obtained from the upper chamber, these include
improved inspection in Tidal Chamber, focusing on Tidal flaps connected by wires, and tidal
valves. RCO 7- Preventing failures of control system, these include maintenance of driving
winch, control panels and control tank gauges. RCO 5- Loads from water pressure – rolling
and holding gate in centre of recess – roller guide gates using a pair of rollers, into a central
guide-wall, holding the gate in the centre of the recess. RCO 8- Tank operation issues, putting
in permanent ballast to bring the gate to an even keel, two scuttle tanks, used to sink the gate
into position, how the two ballast tanks are flooded when the gate is closed to increase stability
and prevent any movement due to wave action. RCO 1- Maintenance on towing system, these
include removal and maintenance of the rollers in air chambers, gate-shifting system
inspection (A 2-pile system, and hydraulic trolley). RCO 3-Constantly controlling an even
draught (stability concerns) by using trimming tanks. RCO 4- Improve structural element
inspection – walls, floors, decks, walkway, handrails, guiding post. RCO 6- Maintain gate
water tightness – a roller L-shaped strip was fixed to the outer edge of the green heart-facing
pieces, which must be constantly maintained and checked.
This chapter presented an effective and flexible event-based FT-BN framework for dry dock
risk analysis. The framework is mathematically sound and at the same time simple enough to
allow interaction with domain experts and decision makers. This chapter has demonstrated the
approach using a simple illustrative example and a case study to achieve results that are in the
simple case almost as good as analytical results.
Further improvements is however required in technical aspects of this approach including
coping effectively with situations in which evidence lies. In future work, the reliability analysis
applied in this study may be expanded to the entire dry dock system failure. Also, the impact
of a failure in this system may reach other areas of the docking process, which may lead to
more severe consequences; hence a more detailed consequence analysis is required.
152
Chapter 5 – A Fuzzy Rule-Based Approach for Risk Analysis in Dry Docking Operation
Summary
In this chapter, a fuzzy rule-based system with final evidential aggregation is proposed for risk
analysis in a floating dry dock. Accidents involving transverse bending failures of dry dock
pontoons are presented. The proposed fuzzy evidential rule-based (FERB) system is used to
deal with uncertainty in experts’ knowledge on how a pontoon deck’s plate might buckle while
lifting vessels well within the overall rated capacity of the docks. The fuzzy evidential reasoning
framework is introduced to model epistemic uncertainties including nonspecificity and
vagueness. A computational efficient formulation of the FERB system using an uncertain IF-
THEN rule is presented. Inference is performed through determining the fired rules followed
by fuzzy Dempster-Shafer combination of activated belief structures. The advantages of the
proposed FERB system are demonstrated using simple numerical examples and the risk
analysis of a floating dock pontoon deck failure.
5.1 Introduction
Up until recently, structural failures of floating dry dock pontoons due to excessive transverse
bending stresses were thought to be relatively rare occurrences. However, there have been three
accidents involving transverse bending failures of pontoons within the last few decades (Heger,
2003). All three accidents provide knowledge on what can lead to accidents although some
uncertainties exist due to complex environments and multicriteria information. Multicriteria
information fusion is an extremely active field of research due to the need to improve
frameworks to support decision making in this complex environment (Wallenius et al., 2008).
Fuzzy rule-based systems are one of the most popular approaches for representing the
knowledge because of some of their unique characteristics. The simplicity of analysis of
complex systems and the ability to model the nonlinear relationships of the input-output in the
realm of fuzzy inferences system (FIS) are some of the promising features (Aminravan et al.,
2011). Belief rule-based (BRB) systems refer to a class of expert systems that extend the
traditional IF-THEN rules to represent uncertainty knowledge about complex systems. To
model the knowledge based on the BRB system, only a partial and imprecise input-output
relationship is required. The knowledge can be vague and incomplete, either obtained from
expert, data or both (Aminravan et al., 2012). Belief structures are popular in knowledge
representation systems as they can model various facets of knowledge of uncertainty (Yager,
2008). A general structure of rule-based belief functions for represented knowledge was
153
presented in Eddy and Pei (1986). Most of the suggested belief rule-based systems use
evidential reasoning algorithms to aggregate the uncertain knowledge presented on belief
structures (Aminravan et al., 2011). Among all evidential reasoning methods, the Dempster-
Shafer theory (DST) (Dempster, 1967 and Shafer, 1976) provides a framework for handling
granularity, non-specificity and conflict and has been successfully used in different
applications. To date, several evidential reasoning algorithms using a distributed modelling
framework based on DST have been introduced (Yang and Singh, 1994 and Smets, 2007). A
more recently well-known method realisable in both analytical and recursive formulations
called the evidential reasoning (ER) approach was proposed for multiple attribute decision
analysis under uncertainty (Yang and Xu, 2002 and Wang et al., 2006). The belief rule base
concept and its inference methodology as proposed based, on the evidential reasoning
approach, provide better results when compared to a traditional rule base (Yang et al., 2006,
Yang, and Xu, 2002). In the belief rule base, each possible consequence of a rule is associated
with a belief degree. Such a rule base is capable of capturing more complicated and continuous
causal relationships between different factors. When applying the belief rule base, the input of
an antecedent is transformed into a belief distribution over the reverential values of an
antecedent. The distribution is then used to calculate the activation weights of the rules in the
rule base. Subsequently, inference in the belief rule base is through the aggregation of all the
activated rules using the evidential reasoning approach (Ehaheh et al., 2013).
Fuzzy rule-based systems (FRBSs) have the capability to model and interpret vague
information in a linguistic environment. FRBS have found a wide variety of applications in
various engineering problems. For instance, an application in detection and also defect type
analysis of flat steel productions using image processing and FRBS has been investigated
(Carbajal and Sanchez, 2008). Cho and Park (2000) showed another application of FRBS in
assessing water quality in shrimp ponds. In this application the defuzzified output of FRBS is
interpreted as a quality index. In another application, a two-stage FRBS is employed in the
traffic signal controller (Nikili and Kuhu, 1999). FRBSs have been employed for risk
assessment in environmental risk analysis problems (Aminravan et al., 2011, Sadiq and
Rodriguez, 2005). They have been applied to the safety analysis of offshore systems (Liu et
al., 2005), pipeline leak detection (Xu et al., 2007; Zhou et al., 2009; Chen et al., 2011), clinical
decision support systems (Kong et al., 2009) and stock trading expert systems (Dymova et al.,
2010). Also, they have been used in graphite detection (Yang et al., 2006), inventory control
(Liu et al., 2009), consumer preference prediction (Wang et al., 2009), new product
154
development (Tang et al., 2011)), system reliability prediction (Hu et al., 2010), gyroscopic
drift predictions (Si et al., 2011), delayed coking unit (Yu et al., 2012) and aggregate
production planning under uncertainty (Li et al., 2012). In the context of structural failures of
pontoons due to excessive transverse stress in floating dry docks, the risk assessment grades
are expressed using linguistic variables. In this study, FRBS with final fuzzy evidential
reasoning has been proposed to incorporate ambiguity and uncertainty involved in structural
failure of the pontoon within the linguistic environment. The main advantage of the proposed
method is the ability to deal with uncertainty risk assessment parameters and to model
nonlinear relationships.
The rest of the chapter is structured as follows (Figure 5.1). Section 5.2 is the problem
statement. Section 5.3 introduces the structure of the classic rule-based system and proposed
FRBS with final evidential reasoning to assess the relative risk assessment parameters. Section
5.4 presents the properties and definition of typical FRBS. Section 5.5 is review of FRBS
framework adopted for this study. Section 5.6 explains about structural failures of pontoon due
to excessive transverse stress in a generic floating dock. Section 5.7 illustrates the performance
of the proposed framework using a typical floating dry dock pontoon failure. Section 5.8
summarises the concluding remarks of this chapter.
Figure 5.1: Flow chart of the development of the study
2. Problem definition
(Statement of Problem) 3. Application of FRBS
(Accident and Data Reporting)
4. FRB Evidential Reasoning framework
(Evaluation criteria and Sub-criteria)
5. Review on structural failure of pontoon
Risk
Analysis and
Estimation
6. Case study
7. Result and conclusion
1. Introduction
155
5.2 Problem Definition
This monograph chapter has two objectives. First, but not foremost, it is intended as a manifesto
for the use of subjective reasoning approaches with imperfect information, which argues ‘that
they are useful and well-developed’. Secondly, it is intended as a manifesto for an eclectic
approach. The eclectic approach is a natural way of modelling the various forms of
imperfection that may be present in the models of a real floating dry dock (Parsons, 2001). The
monograph research approach is to overcome the challenges of this chapter which are: (1) Lack
of data collection, accident and near miss reports in floating dry dock systems; (2) Developing
a floating dry dock model to capture industrial applicability; (3) Definition of experts’
participation and response to the system model; (4) Justification of results output of using
FRBS; and; (5) Uncertainty analysis validation approach. Every floating dry dock has its own
personality. This personality is a function of its operation, and differs with the size of dock. A
moment of thought is sufficient to reveal the extent to which imperfect information is present
in daily life, as Morgan and Herion (1990) point out, ‘We have evolved cognitive heuristics and
developed strategies, technologies and institutions such as weather reports, pocket-sized
raincoats, and insurance to accommodate or compensate for the effects of uncertainty.’
It is exactly because information about the world is imperfect that floating dry dock systems in
the real world have been able to represent and reason with imperfect information. To overcome
these limitations, the floating dry dock model captures essential features of reality, whilst being
reasonably cheap to construct and operate (Fellows and Liu, 2008). Relationships between
variables and boundaries are identified prior to quantification. The resulting model therefore
reflects both the education and training of the risk analyst in the floating dry dock system.
FRBS is a method of reasoning under uncertainty in a precise mathematical way. As a result it
is possible to precisely determine the meaning of the derived measure. It is also possible to
precisely determine the conditions under which the measure is valid (Morgan and Herion,
1990). Indeed, a large amount of survey on the application of FRBS which already exists, is
introduce in large amount so as to cover a large amount of material that is never used in
theoretical parts. This is focused on eclecticism in handling imperfect information and the need
to integrate different approaches.
The disadvantage, however, with FRBS is that it requires specific types of information to be
known, and places specific conditions on how the measures are to be allocated – for instance,
the use of one method might require the attachment of a measure to be at least one. Such
156
conditions on the measure lead to quite stringent constraints on the situations in which models
may be built using these methods (Morgan and Herion, 1990). This, in turn, means that it is
often the case that, when modelling a specific situation in a floating dry dock, no method
exactly fits the data that is available. Three such models are certainty factors (Shortliff, 1979),
fuzzy sets (Zadeh, 1965) and the theory of evidence (Shafer, 1976). Different methods are often
designed to model different aspects of imperfect information, different preconditions, and
provide different types of solutions. Different methods are completely exclusive in dry dock
subjective risk analysis. These issues can be overcome by adopting the eclectic position, such
that where there is a floating dry dock scenario in which no single method will be able to handle
the imperfect information that is present, the best possible treatment of imperfect information
is using several formalisms in combination. The next question to answer is: what must be done
when subjective data nexpressed in a particular formalism has missing values? Assumptions
are required to be made when relevant data is collected. The solution is to take whatever
information is available and see what can be deduced from it, usually sacrificing some of the
precision of the original methods. In-depth knowledge and detailed brainstorming exercises are
required by both operators and risk analysts (Morgan and Herion, 1990). Ultimately, an
estimate of risk should be accompanied by a statement of the degrees of confidence in the
estimate, hence the term fuzzy rule-based system with belief degrees (Hartford and Baecher,
2004). This statement of degree of confidence describes the extent to which the result of the
analysis can be relied upon in the decision-making process.
Expert systems are subject to various patterns of uncertainty that may exist in information
(Yang et al., 2006). One source of uncertainty is non-specificity in assessing the impact of an
antecedent attributed to distributed assessment of the consequent terms. The other source is the
conflict which arises by judgements acquired from multiple attributes. Other uncertainty
knowledge representation parameters are rule and attribute weights. All these cases can exist
when the expert cannot make strong judgements due to lack of historical data or uncertain
knowledge (Aminravan et al., 2012). Besides, imprecise and incomplete date may be used to
make the rule base. The FRBS allows the capturing of a nonlinear input-output relationship
when the information is not highly assured (Xu et al., 2007).
Traditional FRBS systems claim to be able to model non-specificity, ignorance and conflict
(Yang et al., 2006). Non-specificity in the BRB systems is related to imprecise cardinalities of
the sets of consequent grades. The mathematical framework used to represent these patterns of
uncertainty is based on the evidential reasoning (ER) approach or Dempster-Shafer. The BRB
157
inference methodology using evidential reasoning (RIMER) has been used in various
applications but has some limitations especially when considering vagueness (Yang et al.,
2006). Vagueness is an important facet of uncertainty faced in the applications where linguistic
assessment is a better presentation than numerical values. Both antecedent and consequent parts
of IF-THEN rules in fuzzy logic approaches can have linguistic variables. In classic FRBS
systems vagueness is considered only for the linguistic variables of antecedent attributes.
Considering the different forms of uncertainty knowledge about complex system the use of
FRBS to aforementioned patterns of uncertainty (Aminravan et al., 2012).
This chapter shall establish the difference between sensitivity studies and uncertainty analysis.
Uncertainty analysis is an extension of sensitivity analysis where probability distribution is
associated with the various parameters or models being varied. Thus, the output is in the form
of a probability distribution which specifies the likelihood of each possible result across the
full range of possible results. Analysis of uncertainties associated with data, methods, and FER
used to estimate risks posed by floating dry docks is important. Uncertainty analysis involves
determining the variation or imprecision in the risk model resulting from collective variation
in the parameters used to define the floating dry docks system. Estimation of uncertainty is
done by translating the uncertainty in the analysis models and in the crucial model parameters
into uncertainty in the outputs of the risk model (Hartford and Baecher, 2004).
5.3 Application of FRBS in Risk Assessment
This section reviews the application of two recent studies of FRBS in risk assessment. The
results of these applications show that the generalised pignistic probability is insufficient to
carry certain information provided by fuzzy evidence in the fuzzy evidential reasoning, and the
improvements over traditional non-fuzzy evidential reasoning are quite limited (Elaheh et al.,
2013). However, the hybrid decision rule-based system applied in these studies makes the
proposed FRBS with evidential reasoning, in terms of the classification accuracy and
robustness to the variation of reliability of fuzzy evidence and probability evidence (Zhu and
Basir, 2013). The researches herein mention to support these hypotheses are Aminravan et al.,
(2011) and Da et al., (2009). Aminravan et al. (2011) used an interval belief structure rule-
based system with extended fuzzy Dempster-Shafer inference to investigate microbial water
quality risk assessment. In this new belief structure fuzzy inference system (FIS) the interval
belief structure is introduced to define the rules of an FIS and build uncertain knowledge. Their
study conducted an extensive review just giving the interval belief structure fuzzy inference
158
system using the classic FRBS represented by membership value and belief degree assigned to
each fuzzy proposition. In order to model the interval uncertainty in belief degree assignment
(i.e. non-specificity in belief degree), the fuzzy interval belief structure is proposed. The belief
structure is said to be normalised, while the non-normalised belief structure in the consequence
of all rules provided by experts is normalised. After normalisation the true internal belief
degrees associated with all normalised fuzzy propositions (i.e. basic and intersection fuzzy
propositions) are incorporated into the FIS engine. After establishing the rule based FIS using
the interval belief structure where the fuzzy composition is transformed to its extended fuzzy
Dempster-Shafer theory (FDST) combination, the proposed FIS engine uses the Mamdani
inference procedure to determine the firing strength of each rule. In this study, different weights
for each antecedent attribute and each rule are considered. T-norms are used to account for the
importance of each attribute. The output of each rule is an interval belief structure with
subnormal fuzzy focal elements after accounting for the firing strength. To show the utility of
the proposed belief structure FIS, the risk assessment of drinking water was carried out. By
interpreting the obtained results at a lower level using the hypothesis preference ranking
method (Wang et al., 2006) the hypothesis about the risk of drinking water was estimated as
‘very low’.
The belief rule-based inference methodology to improve nuclear safeguards information
evaluation was presented by Da et al. (2009). After a hierarchical analysis of states’ nuclear
activities on the basis of the International Atomic Energy Agency (IAEA) Physical Model, a
framework for modelling, analysing and synthesising nuclear safeguards information with
various uncertainties was proposed by using a newly developed belief rule base inference
method (RIMER). A belief rule base system which provides a better way used to characterise
the indicator strength in a more rational and realistic way is presented and the input
transformation and activation weight for each rule considered and normalised. The rule based
combination using the evidential reasoning (ER) approach is applied directly to combine the
rules and generate final conclusions.
In particular, the ER recursive algorithm (Yang and Xu, 2002 and Yang et al., 2006) has been
equivalently transformed into the analytical ER algorithm (Yang et al., 2007). Using the
analytical ER algorithm, the overall combined degree of belief is generated. As an example, a
specific evaluation on the possibility degree of ‘No conducting specific process Gaseous
diffusion enrichment’ within the evaluation of production of highly enriched uranium (HEU)
was used to validate the method. The result of scenario output OP was (H, 0.5194, M, 0.2672,
159
and L, 0.2134), which means that the authors were 51.94% sure that process P exists with high
confidence, 26.72% sure that process P exists with medium confidence, 21.31% (low
confidence with process P) they noticed that the results reflect well the real cases because a
strong indicator played a more important role in the evaluation than the weak indicators.
In conclusion, the whole framework aims at modelling, analysing and synthesising information
that may be of a very different nature under uncertainty and for which the traditional
quantitative approach does not give an adequate answer. This methodology can provide the
risk analyst with a convenient tool that can be used at various stages of the design, construction
and operational phases of investigating failures in floating dry dock systems for risk analysis.
In this light, a fuzzy evidential rule-based (FERB) system has been proven to provide better
fusion for multicriteria information compared to traditional FRBS as herein discussed.
5.4 Rule Based System with Fuzzy Evidential Aggregation
This section introduces a fuzzy inference system (FIS) that allows knowledge with various
types of uncertainty to be represented in a rule based FIS. One type of uncertainty in the FIS is
vagueness which refers to the linguistic imprecision in the propositions used to build the rule
base. Another source of uncertainty is ambiguity which represents the condition that non-
specificity and strife coexist in the information used to build the rule base. Non-specificity is
related to imprecise cardinalities of the sets of alternatives while strife expresses conflict among
various sets of alternatives (Aminravan et al., 2011). Crucial information, necessary for
building a realistic model, is usually hidden in historical data (Kilic et al., 2007).
There is also the empirical evidence that past management behaviours in dry docking a vessel
are important. Motivated by the operational aspect of docking a vessel in a floating dry dock
with uncertainty, this chapter proposes a hierarchical belief rule based inference (BRBI)
methodology using evidential reasoning (RIMER) (Yang et al., 2006), which is derived from
the basis of the evidential reasoning approach (ER) (Yang and Sen, 1994, Yang and Singh,
1994, Yang, 2001, and Yang and Xu, 2002) and rule based expert systems. RIMER provides a
modelling and inference framework that enables operators to intervene in the floating dry
docking process and updating of the belief rule base (BRB) using judgemental knowledge and
operational data. The method is easy to understand and implement, and it requires little
computational effort (Li et al., 2012). The concepts of fuzzy sets (Zadeh, 1965, Zimmermann,
1991) and D-S theory (Dempster, 1967, Shafer, 1976) can be further studied as reference. This
section briefly introduces the concept of a fuzzy rule base.
160
5.4.1 The fuzzy belief structure
To properly represent real-world knowledge, fuzzy production rules have been used for
knowledge representation to process uncertain, imprecise and ambiguous knowledge (Chen,
1988, Liu et al., 2012). However, in the literature fuzzy production rules have been criticised
because of the fact that the ‘consequent’ may sometimes not be able to reflect slight changes
of linguistic variables occurring in the antecedent (Yang et al., 2006). Another kind of
uncertainty exists when a strong correlation between premise and conclusion cannot be
established. That condition means the evidence available is not adequate, or experts do not
support a hypothesis totally but only to a degree of belief (Liu, et al., 2013). With the purpose
of modelling more general, complex decision-making problems under uncertainty, the belief
rule idea was proposed by considering a belief distribution in a conclusion (belief degree), the
relative weight of the rule (rule weight) and the relative weight of an antecedent attribute
(attribute weight). Mathematically, a belief rule base (BRB) which captures the dynamics of a
system consists of a collection of belief rules defined as follows (Yang et al., 2006):
Rk : IF x1 is A1k ˄ x2 is A2
k……..xTk is ATkk THEN (D1, β1k), (D2, β2k),…. (DN, βNk) (5.1)
With a rule weight θk and attribute weight δk1,δk2, ……. δKTk, where x1, x2, ……. xTk represents
the antecedent attributes in the kth rule Rk, Aik ( i = 1,2…, Tk, k = 1,2…L) is the referential
value of the kth rule Rk, Aik ∊ Ai, Ai = Aij, j = 1,2,….Ji is a set of referential values, θk (∊
R+, k = 1,2,…L) is the relative weight of the kth rule Rk,, δk1,δk2, …. δKTk are the relative weights
of the Tk antecedent attributes used in the kth rule Rk, and βik (i=1,2…,N, k = 1,2….,L) is the
belief degree assessed to Dj which denotes the jth consequent. If ∑ .Tk
i =1 βik = 1, the kth rule RK is
said to be complete; otherwise, it is incomplete. Note that “˄” is a logical connective to
represent the “AND” relationship. In addition, assume that T is the total number of antecedent
attributes used in the rule base.
5.4.2 Belief rule-based inference methodology using the evidential reasoning approach
Given an input to the system, U(t) = Ui(t), i = 1,2…, TK, how can the rule-base be used to
infer and generate the output? As mentioned earlier, Tk is the total number of antecedents,
which can be one of the following types (Yang et al., 2006): continuous, discrete, symbolic
and ordered symbolic. Before the start of an inference process, the matching degree of input to
each referential value in the antecedents of a rule needs to be determined so that an activation
weight for each rule can be generated. This is equivalent to transforming an input into a
distribution on referential values using belief degrees and can be accomplished using different
161
techniques such as the rule or utility-based equivalence transforming techniques (Yang, 2001,
and Yang et al., 2007). Using the notations provided above, the activation weight of the kth
rule Rk, wk, is calculated as (Yang et al., 2006): Wk = θkak
∑ θiai Li=1
, where ak is called the normalised
combine matching degree. This reflects the individual matching degree to which the input
matches its referential value Aik of the packet antecedent Ak in the kth rule Rk and ak
i ≥ 0 and
∑ .Tk
i =1 aki ≤ 1. In RIMER it can be generated using various ways depending on the different types
of input information. In Yang’s (2001) paper, the important technique of rule based information
transformation was proposed, to deal with the input information that includes qualitative
assessment and quantitative data. This chapter gives a detailed overview for quantitative data.
5.4.3 Fuzzy rule base with belief degree
This new safety model is the so-called belief degree methodology, and each step is outlined
with a detailed description of fuzzy mathematical and logic principles as used in fuzzy logic
systems. A more developed framework is presented Figure 5.2.
Figure 5.2: A generic dry dock safety assessment and synthesis framework
5.5 The Proposed Fuzzy Evidential Reasoning Rule Base with Belief Degree
In the decision-making process, one may need to introduce intelligent computing techniques in
order to capture the structure and behaviour of a floating dry dock system that is highly
nonlinear and uncertain (Kilic et al., 2007). From our point of view, the following principles
Input
distribution
transformation
FURBER Engine
Rule base
with belief
structure
Fact or
Data based
Safety Estimate
Multi-attribute-Multi-expert Aggregation using ER algorithm
Safety Estimate
Ranking and interpretation of the final
safety synthesis of a system
Inputs Membership
Function
For individual
elements
For each element type and
the whole system
162
should be adhered to when selecting a decision model for risk analysis/accident models for a
floating dry dock (Li et al., 2012): (a) the sophistication of models should match the complexity
of a specific decision situation; (b) the techniques should emphasise practical importance rather
than just theoretical merit; (c) the models should be adaptable to different risk analysis
scenarios; and (d) the models should be able to deal with different forms of uncertainties. The
fuzzy rule base approach is generally presented as seen in Figure 5.3. It is well known as the
best solution to real-world problems obtained using the synthesis of some powerful methods.
Figure 5.3: Fuzzy rule base approach
The FRBS combine Fuzzy Set Theory and Dempster-Shafer Theory methods in a synergic
way, preserving their strengths while avoiding the disadvantages they present when used as
monostragegy approaches: a capacity for the representation of fuzzy classifiers is enhanced by
introducing the measure of ambiguity; a limitation of the Dempster-Shafer theory is providing
Identify basic events, consequence, and failure probability
Identification of flow-up consequence and outcome events for
the accident event
Fault tree construction
Propagation of consequence of events basic events probability in
a tree in top-downward fashion
Uncertainty analysis in fault tree
Categorise the uncertainty in expert knowledge to define basic
events probability
Vagueness
Linguistic uncertainty
Subjective uncertainty
Vagueness
Incomplete information
Experts ignorant and conflicts
Fuzzy based approach Evidential Reasoning approach
Defining events probability using fuzzy
numbers
Determine outcome event probability
Determine fuzzy safety risk index
Definition of framework of discernment
Assignment of degree of belief for the basic event Knowledge aggregation to define basic event
probability
Quantification evaluation of fault tree:
Estimation of outcome event frequency for fault tree under uncertainty
Risk control options
Cost benefit analysis
Decision making (Step 3, 4 & 5)
Hazard
Identification
and Ranking
163
effective procedures to draw inferences from belief functions is softened by a rule of
propagation (Dymova et al., 2010). The flowchart of the proposed FRBS with belief degree
modelling methodology is presented in Figure 5.4.
Step 1:
Step 2:
Step 3:
Step 4:
Step 5:
Step 6:
Step 7:
Step 8:
Figure 5.4: Flowchart of proposed fuzzy rule base safety modelling methodology
Expert knowledge
possibility inputs
for attributes
Enter crisp
value
Fuzzify
Extract
rules Fuzzy input sets
Defuzzify Aggregate and normalise
Inference engine Rule based
with belief
degree
Ranking for risk control making
Linguistic variables
from hazard
worksheets
Input membership
function shapes
No
Yes
u e U
Modus ponens
Evaluate
rules
Fuzzy output set
Outputs
membership
function shapes
Crisp evaluated
index
Apply/maximum
method
Multi-attributes synthesis
Via evidential reasoning
w.r.t safety utility and
preferences
Weighted evaluated
indices
Ranking
u e U
164
5.5.1 Hazard identification and fault tree
Preceding hazard identification is the preparatory study which includes identification of
experts, selection of model, and choice of approach, questionnaires and conference meeting. In
this methodology, hazard identification is carried out using fault tree analysis. The base events
of failure analysis are linked to middle events using AND/OR gates. For risk estimation
purposes in floating dock operation, three safety parameters are used to define the risk of base
events in the fault tee. These safety parameters are failure likelihood (FL) consequence severity
(CS) and failure consequence probability (FCP). Once accident analysis has been carried out on
the worksheet, the corresponding fault tree is constructed and the next step is to use linguistic
variables collected from the expert’s worksheet to start the belief rule base inference (BRBI).
The safety level (S) is expressed as the conclusion attribute. Subjective belief degrees are
assigned to the linguistic variable used to express the conclusion attribute S for modelling the
incompleteness of expert judgement. The linguistic variables for describing each base event
attribute are decided according to the situation of the case of interest in floating dock risk
analysis. To estimate FL, for example, one may often use such variables as (FL, j = 1,...,5), very
low, low, average, frequent and highly frequent. To estimate CS, one may choose to use such
linguistic terms (CS, j = 1,...,5) such as negligible, marginal, moderate, critical, and
catastrophic.
To estimate FCP, one may use such variables (FCP, k = 1,…,5) as highly unlikely, unlikely,
likely, highly likely, and definite. Similarly, the safety level of the particular base event can be
described using such linguistic variables (Sh, h = 1, …, 4) such as good, average, fair and poor.
All the criteria of base events in the hierarchical structure are given assessment grades from
five experts. Consequently, belief rule based inference (BRBI) can be established, and the
advantages of using belief functions can be appropriately appreciated.
5.5.2 Belief rule based inference (BRBI)
BRBI is a hybrid modelling and inference scheme in which subjective knowledge or system
behaviour can be described using belief rule base natural language. Belief rule has been
proposed recently as an efficient tool for uncertain and nonlinear modelling with reasonable
precision while allowing linguistic interpretability (Yang et al., 2007), and has been
successfully utilised in many complex decision-making domains where traditional analytical
methods do not work well (Li et al., 2012).
165
5.5.3 The development of a fuzzy rule base
The starting point of constructing a rule-based system is to collect if-then rules from human
experts or based on domain knowledge. A knowledge base and an inference engine are then
designed to infer useful conclusions from the rules and observation facts provided by users
(Yang et al., 2006). Formally, a rule based mode is represented as R = ( U, A, D, F), where U
is the set of antecedent attributes, with each of them taking values (or propositions) from an
array of finite sets A which is a referential set of values for attribute U. The values or
propositions in A were mentioned in Section 5.4. The array U defines a list of finite conditions,
representing the elementary states of a problem domain, which may be linked by some logical
connectivity. D is the set of consequents, which can either be conclusions or actions. F is a
logical function, reflecting the relationship between conditions and their associated conclusions
(Yang et al., 2006). Several sources can be used to derive the fuzzy rules. These approaches
are mutually supporting each other, and a combination of them is often the most effective way
to determine the rule base.
In the statistical data and information analysis the fuzzy rules may be derived based on
statistical studies of the information in previous incident and accident reports or database
systems. An in-depth literature search may also be helpful. Skilled human analysts often have
a good, intuitive knowledge of the behaviour of the system and the risks involved in various
types of failure without having any quantitative model in mind. Fuzzy rules provide a natural
platform for abstracting information based on expert judgements and engineering knowledge
since they are expressed in linguistic form rather than numerical variables. Therefore, experts
often find fuzzy rules to be a convenient way to express their knowledge of a situation in a
floating dry dock. Note that in a rule base a referential set can be a set of meaningful and
distinctive evaluation standards for describing an attribute by subjective linguistic terms. To
establish a rule base, one has to determine which referential set of each antecedent attributes
needs to be used and how many referential values should be used (Yang et al., 2006). In
practical applications the fuzziness of the antecedents eliminates the need for a precise match
with the inputs. All the rules that have any truth in their premise will fire and contribute to the
fuzzy conclusion, i.e. RL expression. Each rule is fired to a degree that is a function of the
degree to which its antecedent matches the input. This imprecise matching provides a basis for
interpolation between possible input states and serves to minimise the number of rules needed
to describe the input-output relation. The rules developed in this research framework are
presented in Table 5.1. The continuation of this rule is presented in Appendix 5.
166
R Table 5.1: Rule base development
FL CS FCP P F A G VG 1 Very low Negligible Highly U 1
2 Very low Negligible Unlikely 0.25 0.75
3 Very low Negligible Likely 0.25 0.75
4 Very low Negligible Highly L 0.25 0.75
5 Very low Negligible Definite 0.25 0.75
6 Very low Marginal Highly U 0.4 0.6
7 Very low Marginal Unlikely 0.65 0.35
8 Very low Marginal Likely 0.25 0.4 0.35
9 Very low Marginal Highly L 0.25 0.4 0.35
10 Very low Marginal Definite 0.25 0.4 0.35
11 Very low Moderate Highly U 0.4 0.6
12 Very low Moderate Unlikely 0.4 0.25 0.35
13 Very low Moderate Likely 0.65 0.35
14 Very low Moderate Highly L 0.25 0.4 0.35
15 Very low Moderate Definite 0.25 0.4 0.35
16 Very low Critical Highly U 0.4 0.6
17 Very low Critical Unlikely 0.4 0.25 0.35
18 Very low Critical Likely 0.4 0.25 0.35
19 Very low Critical Highly L 0.65 0.35
20 Very low Critical Definite 0.25 0.4 0.35
21 Very low Catastrophic Highly L 0.4 0.6
22 Very low Catastrophic Unlikely 0.4 0.25 0.35
23 Very low Catastrophic Likely 0.4 0.25 0.35
24 Very low Catastrophic Highly L 0.4 0.25 0.35
25 Very low Catastrophic Definite 0.65 0.35
26 Low Negligible Highly U 0.35 0.65
27 Low Negligible Unlikely 0.6 0.4
28 Low Negligible Likely 0.25 0.35 0.4
29 Low Negligible Highly L 0.25 0.35 0.4
30 Low Negligible Definite 0.25 0.35 0.4
31 Low Marginal Highly U 0.65 0.25
32 Low Marginal Unlikely 1
33 Low Marginal Likely 0.25 0.75
34 Low Marginal Highly L 0.25 0.75
35 Low Marginal Definite 0.25 0.75
36 Low Moderate Highly U 0.4 0.35 0.25
37 Low Moderate Unlikely 0.4 0.6
38 Low Moderate Likely 0.65 0.35
39 Low Moderate Highly L 0.25 0.4 0.35
40 Low Moderate Definite 0.25 0.4 0.35
41 Low Critical Highly U 0.4 0.35 0.25
42 Low Critical Unlikely 0.4 0.6
43 Low Critical Likely 0.4 0.25 0.35
44 Low Critical Highly L 0.65 0.35
45 Low Critical Definite 0.25 0.4 0.35
46 Low Catastrophic Highly U 0.4 0.35 0.25
47 Low Catastrophic Unlikely 0.4 0.6
48 Low Catastrophic Likely 0.4 0.25 0.35
49 Low Catastrophic Highly L 0.4 0.25 0.35
50 Low Catastrophic Definite 0.65 0.35
51 Average Negligible Highly U 0.35 0.65
52 Average Negligible Unlikely 0.35 0.25 0.4
53 Average Negligible Likely 0.6 0.4
54 Average Negligible Highly L 0.25 0.35 0.4
55 Average Negligible Definite 0.25 0.35 0.4
56 Average Marginal Highly U 0.35 0.4 0.25
57 Average Marginal Unlikely 0.35 0.65
58 Average Marginal Likely 0.6 0.4
59 Average Marginal Highly L 0.25 0.35 0.4
60 Average Marginal Definite 0.25 0.35 0.4
61 Average Moderate Highly U 0.75 0.25
167
The generation of the BRB rules presented in Table 5.1 corresponds to three failure parameters,
FCP, CS, and FL with associated assessment grades to identify the risk level. Generally, the
numbers of belief rules are equal to the numbers of all possible combinations. In this study, the
number of possible combination with three risk factors and five assessment grades describing
the risk factors totals 125 rules.
The rule weighs are not considered in this rule because there is only one rule in each inference
path leading to a final outcome. As an example, a belief rule can be developed if the three risk
factors FCP, CS, and FL with assessment grade importance (AGI) 0.25, 0.4 and 0.35 respectively,
are considered. The AGI varies from one study to another, and is dependent on the experts
consulted, the risk analyst judgement, and/or the combination of mathematical method applied.
In this study a risk analyst judgement approach is used to assign the AGIs based on intuition.
Using belief rule 8 as an example:
(0.35) FL Very low : (0.4) CS
Marginal : (0.25) FCP Likely : the corresponding assessment scale on
five (5) is noted i.e. ‘5’ for very low, ‘4’ for marginal and ‘3’ for likely. The safety estimate
poor (1), fair (2), average (3), good (4) and very good (5) have the following outcome, 0
poor, 0 fair, 0.25 average – because CS is one scale 3, 0.4 good – because FCP falls on scale 4,
and 0.35 very good – because FL falls on scale 5 for rule 8.
This method is used to generate all the rules used in this study. The rule inference is a set of
conclusions with belief distributions that reflect the effects of all the rules whose truth values
are greater than Zero. The results obtained from the truth degrees comes with a belief structure
for each failure mode, and the Dempster rule can be used to combine these rules, which can be
directly implemented as follows:
1) Tabulated input data received from experts is mapped to its corresponding rule
2) A figure is presented which translates the number of failure modes present in tabulated
expert input data to produce a combination of total rules fired and a ratio of rules fired.
3) Tabulate the number of rules fired, with the corresponding rules weight identified as a
ratio of failure mode identified.
4) Using the classical Dempster rule of combination, the data from each fired belief can
be fused to get the final conclusion generated by aggregating all the rules, which are
activated by the actual input of each failure mode.
To estimate failure likelihood in safety analysis, for example, one may use such linguistic terms
as highly frequent, frequent, average, low and very low. These linguistic terms are the
168
referential values for an antecedent attribute failure likelihood. In a general rule base, a
referential set may be different in type (Yang et al., 2006). The importance of fuzzy IF-THEN
rules stems from the fact that human expert judgements and engineering knowledge can often
be represented in the form of fuzzy rules. Rules based on these types of linguistic variables are
more natural and expressive than numerical and criticality calculations. It is clear that such
rules can accommodate quantitative data such as FL and qualitative judgemental data such as
the CS, and combine them consistently in risk level evaluation. More specifically, the kth rule
in a rule base in the form of a conjunctive ‘if-then’ rule can be written as (Yang et al., 2006):
IF FL is very low AND CS is negligible THEN RL is low (5.2)
If the failure rate of a hazard is frequent and consequent severity is catastrophic and failure
consequence probability is likely, then safety estimate is poor. The linguistic terms frequent,
catastrophic, and likely are the referential values of the attribute’s failure rate, consequence
severity and failure consequence probability, respectively. Poor is the consequent of the rule
corresponding to the output attribute safety estimate (Yang et al., 2006). A basic rule is
composed of a collection of such simple ‘if-then’ rules. In more complicated rules, the relative
importance of an antecedent attribute (attribute weight) is considered (Yang et al., 2006). To
take into account belief degrees, the attributes in a rule are extended as;
Rk : if A1 then Dk, with a belief degree Bk, and an attribute weights, where (5.3)
Aki is the referential value of the ith antecedent attribute in the kth rule, Tk is the number of
antecedent attributes used in the kth rule, and Bk the belief degree to which Dk is believed to
be the consequent, given Ak1,…Ak2…in the kth rule.
Rule (5.2) can be further extended to a so-called packet rule using a belief structure, where all
possible consequents are associated with belief degrees. A collection of packet rules constitutes
a rule base with a belief structure (called a belief rule base) as
Rk: Take, for example, the following belief rule in safety analysis:
Rk : If the failure rate is frequent and the consequence severity is critical and the failure
consequence probability is unlikely, then the safety estimate is (good, 0), (average, 0), (fair,
0.7), (poor, 0.3), where (good, 0), (average, 0), (fair, 0.7), (poor, 0.3) is a belief distribution
representation for safety consequent, stating that it is 70% sure that safety level is fair and 30%
sure that the safety level is poor. In this belief rule, the total degree of belief is 0.3+0.7 = 1, so
169
that the assessment is complete. The referential value set for failure rate is given by AFR = very
low, low, reasonably low, average, reasonably frequent, frequent, and highly frequent.
Remark: antecedent attributes or the number of attributes is not required to be the same from
one rule to another, even though they share a common consequent set D = Dn ; n = 1,…,N.
A belief rule based in the form shown in eqn. 5.3 represents functional mapping between
antecedents and consequents with uncertainty. It provides a more informative and realistic
scheme for uncertain knowledge representation. Note that the degrees of belief Bik could be
assigned directly by experts, or, more generally, they may be trained and updated using
dedicated learning algorithms if prior or up-to-date information regarding the inputs and
outputs of a rule-based system is available. Once such a belief rule base is established, the
knowledge contained in the belief rule base can be used to perform inference for a given input
(Yang et al., 2006).
The relative importance of an attribute to its consequent (attribute weight) plays an important
role in rule base inference. For example, using RL 123 in Table 5.1, highly frequent,
catastrophic and likely, may lead to consequent [0.75 P, F, 0.25A, G, VG]. The values ‘0.75’
and ‘0.25’ represent the assigned weight of attribute. It is important to assign a weight to each
attribute in order to show the relative importance of each attribute to the consequent. Obtaining
the consequent weight attribute, the referential values of each safety parameter are used. In this
study, the referential values are assigned by the risk analyst as 0.25, 0.4, and 0.65 for FL, CS
and FCP respectively (Yang et al., 2006).
5.5.4 Input transformation
Before an inference process can start, the relationship between an input (fact) and each
referential value in the antecedents of a rule needs to be determined so that an activation weight
for each rule can be generated (Yang et al., 2006). The basic idea is to examine all the
referential values of each attribute in order to determine a matching degree to which an input
belongs to a referential value. This is equivalent to transforming an input into a distribution on
referential values using belief degrees. Once the matching between an input and the referential
values of all antecedents in a rule are determined, they are processed to generate the weight
rule, which is used to measure the degree to which the packet antecedent of the rule is activated
by the input. To facilitate data collection, it is desirable to acquire assessment information in a
manner appropriate to a particular attribute. By using the distribution assessment approach, a
170
referential value of an attribute may in general be regarded as an evaluation grade, and the input
for each ith attribute transformed to a distribution on the referential values of the attributes
using the belief degrees.
5.5.5 Rule inference using the evidential reasoning approach
Based on the above belief rule expression, the ER approach can be used to combine rules and
generate a final conclusion. Having represented each rule established in Table A, the ER
approach can be directly applied as follows. First, transform the degrees of belief 𝛽jk for all j =
1,….,N, K= 1,..,L into basic probability masses using the following ER algorithm (Yang and
Xu, 2002). Suppose the two rules firing are denoted βjSij is expressed (Nwaoho et al., 2012).
5.5.6 Defuzzification of output
The use of ER is a resultant overall output is ranked in safety expression, poor, fair, average,
good and very good. Its membership function is presented in Table 5.2.
Table 5.2: Membership function for crisp probability value
1 2 3 4 5 6 7
P 0 0 0 0 0 0.75 1
F 0 0 0 0 0.75 1 0.25
AV 0 0 0 0.75 1 0.25 0
G 0.25 1 0.75 0 0 0 0
VG 1 0.75 0 0 0 0 0
Let P1= P, P2 = F, P3 = AV, P4 = G, P5 = VG, then P1 = P5
1/P11, P2 = P4
1/P11, P3 = P3
1/P11, P4 = P2
1/P11,
P5 = P1. P11 = [0.75 (0.75+1)]6 + [1(0.75+1)]7 = 6.571, P2
1 = [0.75 (0.75+1+0.25)]5 + [1(0.75+1+0.25)]6
+ [0.25(0.75+1+0.25)]7 = 5.75
P31 = [0.75 (0.75+1+0.25)]4 + [1(0.75+1+0.25)]5 + [0.25(0.75+1+0.25)]6 = 4.75
P41 = [0.25 (0.25+1+0.75)]1 + [1(0.25+1+0.75)]2 + [0.75(0.25+1+0.75)]3 = 2.25
P51 = [1 (1+0.75)]1 + [0.75(1+0.75)]2 = 1.428
P1 = 1.428/6.571 = 0.217, P2 = 2.25/6.571 = 0.342, P3 = 4.75/6.571 = 0.729, P4 = 5.75/6.571 = 0.875
Q = 0.217T1 + 0.342T2 + 0.729T3 + 0.875T4 + 1.482T5 (5.4)
where T is the corresponding safety expression of the risk factor assessed
171
5.5.7 Intelligent decision system software
The aforementioned ER algorithm base in Nwaoho et al. (2012) is integrated into a software
package called IDS (Yang & Dong, 2002), an intelligent decision system via the ER approach.
The IDS software is used in this study to aggregate three or more experts’ preference input
data based on the ER algorithm. The capability of the IDS software is as referenced (Yang &
Xu, 2002, Wang & Elhag, 2008 & Mokhtari et al. 2012). Yang and Xu (2002) used the IDS
software to rank the overall performance of Kawazaki, BMW, Yamaha and Honda
motorcycles. For the purpose of comparison they ranked them as per their average scores
derived from the IDS. Likewise, Wang and Elhang (2008) used the IDS for three bridges
condition assessment. In their assessment the maximum average score meant the best and
safest one. Mokhtari et al. (2012) recently evaluated three Iranian ports of Bushehr, Shahid
Rajaie and Chabahar under a fuzzy environment. The overall scores of the three nominated
ports were calculated using IDS. As a result, this function of the IDS can prove the results
obtained in this study.
5.5.8 Convert crisp possibility score (CPS) into probability value (PV)
The crisp value (Q) (in eqn. 5.4) of every safety description can be converted to its
corresponding probability value (PV). In traditional fault tree analysis, input is required in the
form of exact probability values; however, in fuzzy evidential reasoning the output is crisp
possibility score (CPS) because the occurrence probability of each basic event is presented by
fuzzy numbers (Wang et al., 2013). There is inconsistency between the real probability data
and the possibility score. This issue can be solved by transforming the CPS into the form of
probability of occurrence. The following conversion function (Onisawa, 1998, 1990) is
proposed:
PV = 1
10m, CPS = 0
0, CPS = 0, (5.5)
where m = (1-cps
cps)
1
3 x 2.301 (5.6)
5.5.9 Fussell-Vesely importance of basic events
At the time of a decision-making process, it is useful to have the events sorted according to
some criteria. This ranking is enabled by importance analysis. In this study, the importance
analysis is carried out based on the investigation of the importance of the middle events, base
172
events and the minimum cut sets in the proposed tree (Wang et al., 2013). The Fussell-Vesely
importance (FV-I) is employed to evaluate the contribution of the middle event to the
occurrence probability of the stability failure in floating dry docks. It provides a numerical
significance of all the base events in the stability failure fault tree and allows them to be
prioritised. The FV-I of the base event is calculated by the following equation (Vinod et al.,
2003):
IxiFV =
PTE - (PTE xi=0)
PTE
(5.7)
Where IxiFV is the FV-I index of the ith BE; PTE
xi=0is the occurrence probability of the stability
failure by setting the probability of the ith BE to 0. Decision makers use this importance index
to improve the safety features of the analysed floating dry dock.
5.5.10 Cut sets importance
Cut sets importance (CS-I) is used to evaluate the contribution of each minimum cut set (MCS)
to the top event (TE) occurrence probability of stability failure in a floating dry dock. This
importance measure provides a method for ranking the impact of each MCS and identifying
the most likely path that leads to the TE (Wang et al., 2013). In order to measure the CS
importance, the output fuzzy possibility of each MCS of the stability failure in the floating dry
dock fault tree needs to be converted into the probability value using the methods described in
Sections 5.5.2-5.5.3. Then the MCS importance is estimated by calculating the ratio of the
MCS probability to the stability failure probability. The calculation is performed as follows
(Wang et al., 2013):
IjCS =
PjMCS
PTE (5.8)
where IjCS is the CS-I index of the jth MCS; Pj
MCS is the occurrence probability of the jth MCS.
5.5.11 Fault tree ++ software
This is an advanced software package that provides an efficient method for identification of
critical components in the stability failure of floating dry docks, and provides ranking of
different system components according to their importance using FV-I equations seen in
Section 5.5.5. It also provides the results for MCS using equation 5.8. This software package
is therefore essential for design alternatives and re-assessment to provide efficient design
modifications for decision making in stability failure analysis of floating dry docks
173
5.6 Structural Failure of Pontoon Due To Excessive Transverse Bending
Structural failures of floating dry dock pontoons due to excessive transverse bending stresses
were thought to be relatively rare occurrences. Accidents have been reported due to steel plate
panels that have their axis parallel to the longitudinal axis of the dock and perpendicular to the
line of transverse compressive stress in the plate when docking a ship (Heger, 2002).
5.6.1 18, 000 ton floating dock
This case involves an 18,000 metric ton capacity floating dock and 180 metres pontoon length.
A vessel of 15,000 metric tons (well within the overall capacity of the dock) was being brought
out of the water when the pontoon deck suddenly buckled along the length of the dock. The
crew stopped pumping, re-ballasted the dock and undocked the vessel. When the empty dock
was pumped back up, it could be seen that the pontoon deck and transverse bulkheads had
sustained massive damage due to buckling plating. The causes of this accident upon
investigation were due to: (a) Pontoon deck’s strength; and (b) Method of ballasting.
5.6.1.1 Pontoon’s Deck’s Strength
The relative difference in stiffener orientation between longitudinal framed and transversely
framed deck panels when resisting compression induced by transverse bending of the pontoon
is shown in Figure 5.5.
Figure 5.5: Comparison of Panels
The overall strength/capacity of the dock was adequate for lifting vessels within design limits.
However, the pontoon deck was stiffened longitudinally. This resulted in deck panels that could
Partial plan of pontoon
deck transversely
framed deck
Partial plan of pontoon
deck longitudinally frame
of deck
Ultimate buckling stress = 12 KSI Ultimate buckling
stress = 31 KSI
Direction of stress Direction of stress
Longitudinal
axis of dock
174
buckle if the design limits were exceeded. This means the factor of safety before failure is less
for a longitudinally framed pontoon than for a transversely framed pontoon. The dock’s rated
load capacity of 100 metric tons per metre was based on the structural and buoyancy capacity
of the dry dock. According to Navsea (2012), ‘a panel framed longitudinally does not have as
great a capacity to resist transverse buckling as a transversely framed panel of similar
dimensions. A 600mm x 2100 mm panel with plate thickness of 12mm has an ultimate buckling
stress (stress in plate at time of failure) of 214,000 KPa if orientated transversely and 82,700
KPa if longitudinally’.
5.6.1.2 Method of de-ballasting
During the docking, water was at first de-ballasted under the loaded blocks. Since the block
loads exceeded the buoyant capacity, the water in the tanks under the vessel approached their
minimum levels and the vessel had to emerge from the water (see Figure 5.6).
Figure 5.6: Bending moment diagram buoyancy less than load
Unfortunately, the crew was not monitoring longitudinal deflections and there was no method
of monitoring transverse stresses. When a loaded tank is de-ballasted, the buoyancy created by
removing water is offset by the weight of the vessel being lifted. The buoyancy is spread across
the width of the pontoon but the vessel load is concentrated at the centre (on the keel). This
creates a tendency of the pontoon to bend up around the keel block. This puts the bottom plate
in tension and the pontoon deck plate in compression. Typically, the pontoon is designed to
resist the full buoyancy of the tank offset by an equal but opposite vessel load on the keel
blocks. If the block load over a tank exceeds the buoyant capacity of the tank, the excess load
Buoyancy < Block Load
Block Loads
Bending moment diagram
Shear + Buoyancy = Block Load
Shear in Wing Shear in Wing
175
must be compensated by buoyancy from other areas of the dock. In this case, the additional
buoyancy came from the unloaded tanks at each end of the dock (see Figures 5.7 and 5.8).
Figure 5.7: Bending moment diagram buoyancy equals load
Figure 5.8: Distribution of buoyancy
De-ballasting of the unloaded end tanks was increased to try to get the pontoon out of the water.
Pumping in this manner caused the dock to deflect longitudinally and increased the transverse
bending moment on the pontoon. When the unloaded tank is de-ballasted, there is no ship
Buoyancy = Block Load
Block Loads
Bending moment diagram
Buoyancy << Load/FT
Load/FT < > Buoyancy/FT
Block Length
176
weight to offset the increased buoyancy. The pontoon in this area wants to rise out of the water
but is held down by vertical walls of the wings. The excess buoyancy is transferred
longitudinally down the wing walls as shear load to the area where the ship loads exceeds the
local buoyancy. This shear load in the wing walls provides additional force required to hold up
the ship. This additional uplift force is located at the wing wall vertical shells and can greatly
increase the transverse bending moment on the pontoon. This increase in the moment causes
an increase in the bending stresses in the top and bottom plates of the pontoon (see Figure
5.10).
5.6.2 14,200 Ton floating dock
Case 2 involved a 14, 200 metric ton (14,000 long ton) capacity floating dry dock which was
docking a CG-47 Class Naval Vessel. Before docking, block loading calculations were
performed which showed the vessel’s load per metre would exceed the dock’s rated capacity
if the standard keel block arrangement was used. To reduce the load per metre, the shipyard
added additional keel blocks along the fantail. This had the benefit of lengthening the effective
keel line and reducing the eccentricity between vessel LCG and block centreline. The result of
the longer block line was a reduction in the load per metre to an acceptable value. A pumping
plan was prepared based on this loading.
Experience with prior dockings had shown dimensional information on the fantails shape was
unreliable for building blocks to the exact height. It was decided to set the initial height of the
fantail blocks 75 mm too low. The ship would be landed on the ‘standard’ keel line, lifted 2
feet and stopped. At that point the fantail blocks would be packed tight by divers and then the
vessel lifted the rest of the way. The vessel was landed and the dry dock dewatered according
to the pumping plan. After the dock reached operating freeboard it was noticed that the pontoon
deck plate had buckled along the entire length of the dock. The dock required extensive
rebuilding. An investigation after the accident showed the accident occurred for the following
reasons: (a) assumption on calculation; and (b) fantail blocks were not wedged up tight against
the hull as originally believed.
5.6.2.1 Assumption on calculation
The keel block loading was calculated assuming that combined ‘standard’ keel blocks and the
fantail blocks were a typical keel line in which a trapezoidal load configuration was developed.
The pumping plan was developed based on this loading. In actuality, the vessel was landed on
177
the ‘standard’ keel first and raised 2 feet. This had an effect of preloading the ‘standard’ keel
line with higher loads near the aft knuckle before any load was imparted on the fantail blocks.
5.6.2.2 Fantail blocks error
The fantail blocks were not wedged up tight against the hull as originally believed. Divers
installed shims in the 75 mm gap between the fantail blocks and hull but they left an
approximately 6 mm gap between the shims and the hull. Because of the gap between fantail
blocks and hull, the fantail blocks took no load until the vessel was pumped high enough to
squeeze the standard blocks and deflect the dry dock until the gap closed up.
5.6.2.3 Pumping plan assumption
The load on the fantail blocks was much less than the pumping plan assumed and the load on
the skeg area of the standard blocks was greater than the pumping plan assumed. This high
load on the skeg area exceeded the design limit for the dock. This resulted in a situation very
similar to the Case 1 accident. The excess buoyancy under the fantail blocks was transmitted
through shear in the wing walls to the overloaded skeg area. This increased the transverse
bending moment causing the deck to buckle in that area. Other areas failed ‘domino style’ once
one area gave way.
5.6.3 Consequence analysis
The accident discussed in this section occurred while the dock was being deballasted in a
manner that unknowingly magnified the compressive stress in the pontoon deck plates to a
point which exceeded their buckling strength. The accident was caused by this phenomenon.
As the vessel was being pumped up, the water in the loaded tanks was approaching minimum
levels. The crew began to pump more out of the unloaded end tanks to attempt to get the
pontoon deck out of the water.
The additional buoyancy force from the end tanks was transferred down to the wings the
overloaded tanks. This increased the transverse bending force on the pontoon to the point when
the pontoon deck plate panels buckled (probably first in the area of the ship’s knuckle). Once
one area failed, the remaining panels would fail, ‘domino’ style.
178
5.7 Case Study: Pontoon Deck Failure Analysis
The stress in the pontoon deck exceeds the critical buckling stress of the deck panels; a collapse
of a generic floating dry dock is presented in Figure 5.9.
Figure 5.9: Pontoon deck failure model
Transverse
bending failure
Allowable transverse bending
moment of Pontoon deck
reduction by 70%
Pontoon decks bend up
around keel blocks
Deflection of dock
longitudinally
Keel blocks load
Wing Wall Shear force
transfer
Pumping plan error
Unloaded tank ballasting
effects
Standard block loads
Calculation assumption
Stress and deflection
monitoring devices
Pumping manner
Top deck compression
Bottom plate tension
Reduction in allowable
stress
Reduced area
Corrosion attack
Lack of Ultrasonic measurement
Lack of periodic maintenance
Lack of verification scheme
Spread of buoyancy over pontoon deck
Concentrated tank load
Block loads
Buoyancy capacity
Transverse stress measurement error
Lack of method for measure longitudinal
deflection
Concentrated vessel load
Buoyancy tank load
Unverified dock rating
Vessel’s load per meter on blocks
Over design limit
High load
No ship on tank effect
Increase buoyancy
Wrong diver’s instruction
Block landing effects
Prior experience assumption
179
5.7.1 Case study description
One of the important characteristics that will affect the whole system performance is the
pontoon deck transverse bending resistance. Its pontoon deck is designed to operate with
transverse stiffened panels. Research from accident investigation shows that longitudinally
framed pontoon decks have less critical buckling strength of deck compared with transverse
panel of the same dimension. The proposed methodology is designed for determination of the
appropriate decision measures to operate a generic floating dock from a risk analysis
perspective. In this study, criteria and alternatives are determined by questionnaire technique
applied to shipyard specialists possible users working in the maritime sector and specialist
working in shipyards. Criteria and sub-criteria were determined via questionnaire and deep
discussions with specialists in the maritime sector (especially with the ones working in the
floating dry dock area) and also by making use of previous studies and investigative reports.
Criteria and sub-criteria (immediate events) of a generic pontoon deck failure are illustrated in
Figure 5.11. Here the criterion ‘Allowable transverse bending moment of pontoon deck by 70%’
has its sub-criteria ‘reduction in allowable stress’ and ‘reduced area of the pontoon deck’. The
causes of reduced area of the pontoon deck are ‘corrosion attack’ and ‘lack of ultrasonic
measurement’ to determine loss in metal thickness in the pontoon deck. The causes of
‘reduction in allowable bulking stresses’ are ‘lack of verification scheme of metal thickness’
and ‘lack of periodic inspections of the dock structure’. Another criterion is ‘Pontoon deck
bend up around the keel’, which has two sub-criteria, which are the reaction between ‘top deck
compression’ and ‘bottom plate tension’. The full interaction between sub-criteria is self-
explanatory, as illustrated in Table 6.3.
The evaluation of the structural failure of the pontoon is to estimate a possibility degree to what
extent the objective of docking a vessel in a floating dry dock is attained. At the lowest level,
the value of the possibility degrees reflects the capacity ‘no failure of the pontoon involving
transverse bending failures’. The proposed belief structure FIS is used for risk assessment of
pontoon deck structural failure whilst loading a vessel. One of the challenges in quantifying
the risk in this realm is dealing with incommensurable and uncertain information, which needs
rational aggregation schemes (Franciscque et al., 2009). Assuming that some incommensurable
attributes are available that can indicate the risk at the lowest level, then the different levels of
each attribute can be defined by experts. The experts are provided with a sample description of
a generic failure model and potential accident model. As an example a specific evaluation is
considered to illustrate the proposed method. Let it be required that the evaluation of the
180
possibility degree of no failure of the pontoon involving bending transverse failure within the
operation of a floating dry dock be assessed by three (3) parameters: (1) failure consequence
probability (FCP); (2) consequence severity (CS); and (3) failure likelihood (FL). For simplicity
but without loss of generality, it is supposed that the evaluation linguistic grades involved in
the case study are very low, low, medium, high and very high. Each indicator and the process
are assessed into a belief distribution of these five values. For example, if the assessment of an
output indicator A is: (very low, β1, low, β2, medium, β3, high, β4, and very high, β5), this
implies the possibility of existing and the confidence level, βi (i= 1,..,5) represents the degree
of confidence in a particular belief.
The linguistic variables are defined to represent the level of each pontoon structural failure
parameter converted to its corresponding fault tree. For the value of FL, an expert may choose
from a set of linguistic variables “very low (VL)”, “low (L)”, “medium (M)”, “high (H)”, very
high (VH)”. The value for attribute FCP is defined by five linguistic variables “highly unlikely
(HU)”, “unlikely (U)”, “likely (L)”, “highly likely (HL)”, and “definite (D)”; CS is defined as
“negligible (N)”, “marginal (MA)”, “moderate (M)”, “critical (CR)” and “catastrophic (CT)”.
The fuzzy propositions are defined for these attributes based on literature review, experts’
experience in docking a vessel in floating dry docks, and author’s judgement. The FIS output,
which is defined as the risk associated with DN27 pontoon structural failure, is characterised
by five linguistic fuzzy grades: “very poor (VP)”, “poor (P)”, “average (A)”, “good (G)”, and
“very good (VG)” with belief degree (very low, β1, low, β2, medium, β3, high, β4, and very
high, β5).
The uncertainty and incomplete knowledge about the pontoon deck failure is modelled using
the proposed FER system. For different conditions in the operation model, nonspecific and
uncertain assignments to the fuzzy output risks levels are possible. Other parameters
representing the rule uncertainty such as initial rule and attribute weights are also considered
(Aminravan et al., 2012). Experts are given the opportunity to provide nonspecific and
uncertain assignments for the set of possible conditions. The experts used in this case study
have different experiences in floating dry docking industry. Five were consulted with weights
0.1, 0.2, 0.3, 0.3, 0.5 which represents 08 years, 11 years, 15 years, 17 years, and 26 years
respectively of different multi-national experts consulted for this study. The weights of the
three attributes (indicators) were extracted through ER elicited from experts. The weights of
the attributes remain unchanged in the designed FIS engine as failure consequence probability
(FCP) = 0.25, consequence severity (CS) = 0.4 and failure likelihood (FL) = 0.35.
181
The full account of all the rules of all knowledge bases and how the representation of
uncertainty is presented as related to all the rules presented in the FRB Table 5.1. Suppose that
FCPU corresponds to a set of indicators. Accordingly, UF
cp, UCP and UF
L correspond to the
strength of the weights respectively. There are a total of 25 indicators. If each indicator is
described by five grades, then there should be a total of 5 x 25 = 125 rules as constructed in
Table 5.1 called the belief rule base (BRB) developed for this case study.
Table 5.3: The immediate event
Influence criteria Influencing Criteria Wing Wall Shear force Pumping plan
Unloaded tank ballasting effect
Keel blocks load
Standard block load
Calculation assumption
Deflection of dock longitudinally
Stress and deflection monitoring devices error
Inappropriate pumping method
Pontoon deck bend up around keel block Top deck compression
Bottom plate tension
Pumping manner
Top deck compression
Bottom plate tension
Allowable transverse bending moment of
pontoon deck reduction by 70 %
Reduction in allowable stress
Reduce surface acting area
Table 5.4: Event symbols
Top event Base event
TE Pontoon deck failure due to bending stress
B1 Corrosion attack
U Immediate Event B2 Lack of Ultrasonic measurement
B3 Lack of periodic maintenance
U1 Allowable transverse bending moment B4 Lack of verification scheme
U2 Pontoon deck bending up B5 Spread of buoyancy over pontoon deck
U3 Pontoon deck deflection longitudinally B6 Concentrated tank load
U4 Keel blocks B7 Buoyancy tank load
U5 Wing walls shear force transfer B8 Concentrated vessel load
B9 Block loads
V Intermediate Event B10 Buoyancy capacity
B11 Lack of method for measuring transverse stress
V1 Reduced area of pontoon deck B12 Lack of method for measuring longitudinal deflection
V2 Reduction in allowable bulking stress B13 Unverified dock rating
V3 Bottom plate tension B14 Vessel’s load per meter on blocks
V4 Top plate compression B15 Over design limit
V5 Pumping manner B16 High load
V6 Lack of deflection monitoring devices B17 No ship on tank effect
V7 Calculation assumptions B18 Increased buoyancy
V8 Standard block loads B19 Wrong instruction to diver
V9 Unloaded tank deballasting effect B20 Block landing effects
V10 Pumping error B21 Prior experience assumption
182
The information that is related to most uncertainty factors of failure in pontoon deck is not
numerical. Fuzzy set theory provides an approximate model for the evaluation of risk faced by
a typical floating dock pontoon failure through a linguistic approach. The procedure for fuzzy
risk analysis is based on the framework outlined in Section 5.5, which consists of seven (7)
steps: Hazard identification and fault tree construction, belief rule base inference, input
transformation, rule inference using the evidential reasoning approach, defuzzification of
output, convert crisp possibility score to probability value, importance calculation of immediate
events and minimum cut sets. The first step is a compilation of a list of the most significant
uncertainty factors and their descriptions, as in Table 5.3. This is the identification of risk
associated with typical pontoon deck failure. However, little empirical research has focused on
identifying the potential accident scenarios. The dimension of risk is listed in Table 5.4,
formulated as a result of risk fault tree classification diagram in Figure 5.10.
Figure 5.10: Fault tree diagram of pontoon deck failure
5.7.2 Expert linguistic input data
Due to lack of the precise probability data of Base events (BEs) of failures on pontoon deck in
floating dry dock industry, the approach synthesizing the fuzzy set theory and experts’
linguistic judgements is proposed to quantify the occurrence possibilities of the BEs. In this
183
study five experts, including a reliability analyst are invited to perform the assessments of each
BE. In order to capture experts’ linguistic notions of the probabilities for each events, the
linguistic scale presented in Section 5.7.1 is proposed. An example of input data for base event
(B19), B12 and B1 is presented in this study for illustrative purposes. RIMER was proposed
by Yang (2002) based on the evidence theory. RIMER consist of two parts, first building the
BRB and then integrating the activated rules from the BRB using the ER algorithm, as briefly
introduced in Section 5.5. When a BRB is constructed, it is required to cover all possible
combinations of each attribute for each basic event (or attribute). Based on RIMER framework
presented in Section 5.5, the steps considered are:
1. Step 1: Determine the three parameters concerning the structure of the BRB, including
the number of attributes (base events) and alternatives for each attribute (middle events)
and number of immediate events.
2. Step 2: Invite experts to link attributes to those having strong connections. The experts
are required to select the appropriate linguistic scale of the base event probability of
failure.
3. Invite experts to give rules for the input data.
4. Identify and integrate the activated rules using RIMER is the kernel part of this study.
5.7.3 Belief rule inference using evidential reasoning (ER)
To illustrate how the RIMER system works in this framework, the definitions of the belief rules
using linguistic terms with the consequents having the dedicated belief degrees considering
only three indicators are given in Table 5.1. Using the rule-base and the RIMER inferences,
the consequent estimate is generated. In the following, three scenarios are explored on some
possible combinations of the values to obtain the output. In this case, base events (B) – B19
(lack of periodic maintenance), B12 (buoyancy capacity), and B1 (priori assumption error) –
are used. Scenario 1: the input for “lack of periodic maintenance (B19)” is given by five experts
(E1.., E5, with different experience, hence different weights in the floating dry-dock industry)
with the three indicators’ linguistic description (FCP,CS ,FL) as presented in Table 5.5 to Table
5.10. Details of the input data for other base events not presented here is seen in Appendix 6.
Scenario 1: the input for “lack of periodic maintenance (B12)” is given by five experts (E1..,
E5, with different experience, hence different weights in the floating dry-dock industry) with
the three indicators’ linguistic description (FCP,CS ,FL) as presented in Table 5.5.
184
Step 1: Transform the input. Here the input is given in linguistic terms with the belief degrees
based on subjective judgement. Each belief is the individual matching degree of the input to
the linguistic values. The input for B19 is presented in Table 5.5 and Figure 5.11.
Step 2: Calculate the rule activation weights. The activation weights WK for all the 18 rules RK
(K =1…..9) are generated.
Table 5.5: Expert input for B19
Figure 5.11: B19 Rules combination
Table 5.6: Rule weight for B19
E/B B 19
E1 FLHF CS
CR FCPHL
E2 FLAV CS
MO FCPHU
E3 FLL CS
MO FCPHU
E4 FLL CS
MO FCPU
E5 FLL CS
CR FCP HU
S O S 19
HF CR HL
AV MO HU
L MO HU
L MO U
L CR HU
3/5 HF 1/5 CR 1/5 HL
1/5AV 3/5 MO 1/5 U
1/5L 3/5 HU
NO Rule weight FL CS
FCP Rule
1 (3/5) ( 1/5)( 1/5) HF CR HL 119
2 (3/5)(1/5) (1/5) HF CR U 117
3 (3/5)(1/5)( 3/5) HF CR HU 116
4 (3/5) (3/5 (1/5) HF MO HL 114
5 (3/5)( 3/5)(1/5) HF MO U 112
6 (3/5)(3/5)(3/5) HF MO HU 111
7 (1/5)(1/5 (1/5) AV CR HL 69
8 (1/5)(1/5)(1/5) AV CR U 68
9 (1/5)(1/5)(3/5) AV CR HU 67
10 (1/5)(3/5)(1/5) AV MO HL 64
11 (1/5)(3/5)(1/5) AV MO U 62
12 (1/5)(1/5)(1/5) AV MO HU 61
13 (1/5)(1/5)(1/5) L CR HL 44
14 (1/5)(1/5)(1/5) L CR U 42
15 (1/5)(1/5)(3/5) L CR HU 41
16 (1/5)(3/5)(1/5) L MO HL 39
17 (1/5)(3/5)(1/5) L MO U 37
18 (1/5)(1/5)(1/5) L MO HU 36
3 x 2x 3 = 18 rules = =
Expert aggregation
of base events to
obtain output
185
Step 3: Combining activated rules. The ER approach is employed to combine the activated
rules. The activated rules can be combined to yield the following outcome: S19 = [0.2713VP,
0.1878P, 0.3351A, 0.0848G, 0.121VG], which means that we are 27.13% sure that B19 can
happen with very poor confidence, 18.78% poor confidence, 33.51% average confidence,
8.48% good confidence, and 21.1% very good confidence.
Scenario 2: the input for “buoyancy capacity (B12)” is given by five experts (E1.., E5, with
different experience, hence different weights in the floating dry-dock industry) with the three
indicators’ linguistic description (FCP,CS ,FL) as presented in Table 5.7 and Figure 5.12.
Table 5.7: Expert input for B12
Figure 5.12: B12 Rules combination
Table 5.8: Rule weight for B12
E/B B 12
E1 FLF CS
NE FCPU
E2 FLA CS
NE FCPHU
E3 FLA CS
NE FCPHU
E4 FLL CS
MO FCPU
E5 FLA CS
MO FCP HU
S O S 12
F NE U
A NE HU
A NE HU
L MO U
A MO HU
1/5 F 3/5NE 3/5 HU
3/5 A 2/5MO 2/5U
1/5 L
NO Rule weight FL CS
FCP Rule P F A G VG
1 (1/5) (3/5)( 3/5) F NE HU 76 0.35 0.65
2 (1/5)(3/5) (2/5) F NE U 77 0.35 0.25 0.4
3 (1/5) (2/5)( 3/5) F MO HU 86 0.35 0.4 0.25
4 (1/5) (2/5)( 2/5) F MO U 87 0.35 0.4 0.25
5 (3/5) (3/5)( 3/5) A NE HU 51 0.35 0.65
6 (3/5) (3/5)( 2/5) A NE U 52 0.35 0.25 0.4
7 (3/5) (2/5)( 3/5) A MO HU 61 0.75 0.25
8 (3/5) (2/5)( 2/5) A MO U 62 0.75 0.25
9 (1/5) (3/5)( 3/5) L NE HL 26 0.35 0.65
10 (1/5) (3/5)( 2/5) L NE U 27 0.6 0.4
11 (1/5) (2/5)( 3/5) L MO HU 36 0.4 0.35 0.25
12 (1/5) (2/5)( 2/5) L MO U 37 0.4 0.6
3 x 2 x 2 = 12 rules =
=
186
Scenario 3: the input for “priori assumption error (B1)” is given by five experts (E1.., E5, with
different experience, hence different weights in the floating dry-dock industry) with the three
indicators’ linguistic description (FCP,CS ,FL) as presented in Table 5.9 and Figure 5.13.
Table 5.9: Expert input for B1
Figure 5.13: B1 Rules combination
Table 5.10: Rule weight for B1
5.7.4 Combining activation rules
The IDS software is used to combine the activation rules and presented in Table 5.11. Using
eqn. 5.11, the output of combination rules is called crisp probability value (CPV) and presented
in Table 5.11. Then lastly the probability value (PV) is calculated using eqn.5.12 and eqn. 5.13
is calculated and presented in Table 5.11.
5.7.5 Fault tree quantitative analysis
In order to ensure compatibility between CPS and the exact probability data obtained from
sufficient statistical inference CPS must be converted into the form of probability data. This
can be achieved by using eqn. 5.12 and 5.13. The corresponding probability of occurrence of
E/B B 1
E1 FLL CS
MO FCPU
E2 FLL CS
MO FCPU
E3 FLAV CS
MO FCPHU
E4 FLL CS
MO FCPHU
E5 FLF CS
MO FCP U
S O S 1
L MO U
L MO U
AV MO HU
L MO HU
F MO U
3/5 L 5/5 MO 2/5 HU
1/5AV 3/5 U
1/5 F
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (5/5)(2/5) L MO HU 36 0.4 0.35 0.25
2 (3/5)(5/5)(3/5) L MO U 37 0.4 0.6
3 (1/5) (5/5)(2/5) AV MO HU 61 0.75 0.25
4 (1/5) (5/5)(3/5) AV MO U 62 0.75 0.25
5 (1/5) (5/5)(2/5) F MO HU 86 0.35 0.4 0.25
6 (1/5) (5/5)(3/5) F MO U 87 0.35 0.4 0.25
= =
3 x 1 x 2 = 6 rules
187
base events B1 to B21 is presented in Table 5.11. This value can be input into the fault tree
analysis software package discussed in Section 5.5.8 with t = 100,000 hours and with project
options presented in Figure 5.14.
Figure 5.14: Project options
Table 5.11: Probability value of base event
B SAFETY OUTPUT (SO) CPV PV
B1 [0VP, 0.51F, 0.4915A, 0.37G, 0.8099VG] 0.70546 0.10966
B2 [0VP, 0.2785F, 0.198A, 0G, 0.5262VG] 0.09106 1.1091 x 10-5
B3 [0.172VP, 0.399F, 0.2108A, 0.99G, 0.118VG] 0.93923 0.1192009
B4 [0VP, 0.0811F, 0.1755A, 0.353G, 0.3902VG] 0.0332 8.334 x 10-8
B5 [0.161VP, 0.393F, 0.233A, 0.885G, 0.1241VG] 0.63376 0.12111
B6 [0VP, 0F, 0.1295A, 0.4015G, 0.4691VG] 0.05867 1.572 x 10-6
B7 [0VP, 0F, 0A, 0.226G, 0.774VG] 0.413 2.5876 x 10-3
B8 [0.1433VP, 0.3129F, 0.5438A, 0G, 0VG] 0.3012 3.371 x 10-4
B9 [0VP, 0.439F, 0A, 0.561G, 0VG] 0.152 8.298 x 10-5
B10 [0VP, 0.1134F, 0.4067A, 0.124G, 0.3554VG] 0.062 2.0448 x 10-6
B11 [0VP, 0F, 0.317A, 0.8114G, 0.1287VG] 0.4025 2.372 x x 10-3
B12 [0VP, 0.593F, 0.383A, 0.147G, 0.4099VG] 0.179 1.5047 x 10-4
B13 [0.34VP, 0.3175F, 0.22687A, 0.4218G, 0VG] 0.1445 6.9199 x 10-5
B14 [0VP, 0.133F, 0.542A, 0.2075G, 0.1163VG] 0.124 3.845 x 10-5
B15 [0VP, 0F, 0.657A, 0.4047G, 0.5296VG] 0.2919 8.1003 x 10-4
B16 [0VP, 0F, 0.25A, 0.4G, 0.35VG] 0.04157 2.8247 x 10-7
B17 [0VP, 0F, 0A, 0.25G, 0.75VG] 0.355 1.557 x 10-3
B18 [0VP, 0.211F, 0.9491A, 0.29G, 0VG] 0.6446 0.01298
B19 [0.271VP, 0.188F, 0.3351A, 0.0848G, 0.12VG] 0.0984 1.5339 x 10-5
B20 [0VP, 0.214F, 0.459A, 0.326G, 0VG] 0.0963 1.4014 x 10-5
B21 [0VP, 0.419F, 0.58A, 0G, 0VG] 0.2022 2.3121 x 10-4
188
5.7.6 Results
Results of occurrence probability of top event show that at time t = 100, 000 hours, is 0.47%
obtained from when project options in Figure 5.14 are used, which matches experts’ judgement.
An important aim of many reliability and risk analyse is to identify the most important base
events or immediate events and minimum cut sets from reliability or risk viewpoint so that they
can be given priority for improvements. The most crucial middle events in the pontoon failure
fault tree for causing the occurrence of top event can be justified through FV-importance (FV-
I) measures. Using Eq. (5.16), the FV-I indexes of all immediate event are calculated and
ranked as shown in Figure 5.15 and Figure 5.16. The result helps to conclude that particular
attention must be given to the events U4, U2, U3, U5 and U1 in descending order.
Figure 5.15: TE Graphical result Figure 5.16: TE Result summary
According to the FV-I and FV-I ranking result, the immediate events which have to be given
the utmost attention are U4 (keel blocks loads) and U2 (Pontoon deck bending up around keel).
The second immediate event to be receive attention is U3 (deflection of dock longitudinally),
and fourth is U5 (Wing wall shear force). The least immediate events to receive attention is U1
(allowable transverse bending moment of pontoon deck reduction by 70%). The calculations
have been carried out by fuzzy rule based approach and traditional approach. Table 5.10
presents the final important results. The result shows that;
1) Fuzzy rule base fault tree provides detailed information about the contribution of
linguistic rating scale to the occurrence probability of base events.
2) There is a slight difference in the most critical middle events and slight differences in
ranking of the base events.
189
5.7.7 Sensitivity analysis
Parameter sensitivity analysis is completed to show how sensitive the results of a belief update
(propagation of evidence) are in variations in the values of a parameter in the model. The
parameters of a model are the entries of probability of failures. Improving the failure rates of
basic events 1, 3, 12, 13 and 19 by 55 % means that, RCO1 is well implemented and results
from fault tree analysis shows the occurrence probability of top event reduced from 0.47% to
0.35, leading to a percentage reduction of 45.8%. Again, improving the failure rates of basic
events 13, 20 and 21 by 30% means that, RCO 2 is well implemented and results from the fault
tree analysis shows the occurrence probability of top event is reduced from 0.47% to 0.256%
leading to a percentage reduction of 46.4%. Thirdly, improving the failure rates of basic events
2, 11, 17, 18 and 19 by 15% means that RCO 3 is well implemented and results from the fault
tree analysis shows the occurrence probability of top event is reduced from 0.47% to 0.39%
leading to a percentage reduction of 46.1%. The results from the sensitivity analysis shows
that, an improvement of base events leads to reduction of occurrence of top event.
5.7.8 Discussion
The main reason for this difference is that fuzzy rule base FTA approach distributes all base
events data uncertainty in the rule developed. In reality it is unreasonable to evaluate the
occurrence of each base event by using a single-point estimate without considering inherent
uncertainty and imprecision a state has. Overall the noteworthy attributes of the fuzzy rule base
FTA approach, including the resilience towards lack of precision in base event data and more
detailed probability information provided, confirmed that the fuzzy rule base FTA approach
enables better probability assessment of the accident analysis and more reliable identification
of the most critical middle events, and hence provides effective help for risk management and
decision making.
According to the results of this study, the following conclusions are drawn: (1) The fault tree
of floating pontoon failure is constructed, and the qualitative analysis of the tree shows that it
totally includes 21 base events and 5 minimal cut-sets possibly leading to the accident; (2) The
proposed approach which incorporates the fuzzy rule base theory and the conventional FTA
technique is demonstrated as a viable and effective method for estimation of the top event
occurrence probability when encountered with base event uncertainty; (3) The approach can
be used to perform the important analysis of the pontoon failure fault tree which can provide
valuable information for the decision maker to improve the safety performance of the floating
docking operation.
190
FTA is a useful and effective method for identifying the root causes of certain accidents. In this
study, FTA was used to show how root causes, which are also the basic events in the FT,
interact to cause the complete loss of a floating dry dock. The results show the two most
common root causes of these accidents are ‘keel blocks load’ and ‘pontoon decks bend up
around keel’. Therefore, sufficient attention and resources should be allocated to maintain the
keel block calculation loading diagrams and also on the pontoon deck for bending around the
keel.
5.7.9 Conclusion
This chapter outlines and explains a philosophy of subjective risk based risk analysis and
decision making for risk control and management in floating dry docking operations using
fuzzy logic and ER approaches. For each base event, the safety output is obtained first by using
FRB-ER approach. Then the FT is used to calculate the occurrence probability of top event.
Finally the most important immediate events are identified for decision making. The belief rule
base system introduced in terms of flexibility, applicability and predictive performance was
well balanced. Specifically, the major advantage of the BRB is that it offers and facilitates a
very simple and efficient rule based generation approach with high performance from the given
sample data from consulted experts in the floating dry docking industry. It is worth noting that
that the distinct feature of this proposed BRB model leads to decision attributes definitions,
rule base representation and generation, inference can be designed and implemented in an
integrated fault tree system. A case study in a real world pontoon failure has shown the high
efficiency and consistently better performance approach.
As traditional rule base including fuzzy rule base as well as belief rule base in RIMER are all
special cases of the BRB, it’s believed that such more general, flexible, and efficient and
effective rule based representation, inference, and generation system is more acceptable in
more complex systems. Rule base updating is also an interesting issue as well to be investigated
to fit with dynamic situations, it is easy to see the proposed BRB actually already provided a
much easier way to update the rule when new sample data is added, that is simply to add a new
rule generated from this new data. It is possible to add a new test data result into the generated
rule base iteratively in order to obtain a better overall performance.
191
Chapter 6 – Risk Control Options and Cost Benefit Analysis for Docking Operation
Summary
In this chapter, a failure/accident analysis model is proposed to develop the cost-effective
safety measures for preventing accidents in dry docking and undocking operations. The model
comprises two parts. In the first part is a quantitative failure analysis model built by Bayesian
Network (BN) which can be utilised to present the corresponding prevention measures. In the
second part, the proposed prevention measures are ranked in a cost-effective manner through
a Bayesian Network (BN) approach. A case study is analysed as an illustration. The case study
shows that the proposed model can be used to seek out failure/accident causes and rank the
derived safety measures from a cost-effectiveness perspective. The proposed model can provide
accident investigators with a tool to generate cost-efficient safety intervention strategies.
6.1 Introduction
When an accident occurs, it is important to understand the root cause in order to take effective
preventive measures. A failure model provides the cause effect analysis. Failure analysis
always implies a failure model is a set of assumptions of what the underlying mechanism is
(Hollnagel, 2002). A failure model is an abstract conceptual representation of the occurrence
and development of an accident; it describes the way of viewing and thinking about how and
why an accident occurs (Huang et al., 2004). Accident model is also a very important process
for providing input into the development of proactive and cost-effective safety measures
(Psarros et al., 2010).
Naturally, a qualitative failure model has some weaknesses such as managing information
systems for effective safety measures in: availability, performance, security, and modifiability,
as well as in predicting values in different future scenarios in today’s complex ship docking
and undocking operation, which remains a great challenge (Franke et al., 2009). First, a great
number of factors influence a system’s cost-effective safety measures. Second, the factors are
intertwined in a complex manner. The researcher who sets out to model these
interdependencies thus inevitably faces a discomforting number of modelling choices, all of
which to some extent influence the ability of the final assessment framework to provide
accurate decision support for managing decisions (Franke et al., 2009). Furthermore, all
modelling choices represent a cost in terms of collecting the information needed for actually
using the model. This cost, whether expressed in money, effort, or time, must be kept under
192
control, lest the entire effort of modelling the cost-benefit effectiveness be misguided (Franke
et al., 2009).
As opposed to other publications addressing similar issues, such as Fenton and Pfleger (1997),
Zuse (1997) and Kan (2003), this chapter adopts Bayesian formalism for expressing these
uncertainties. The application of Bayesian networks (BNs) in a graphical environment for
decision support using cost-effectiveness enables us to create the most efficient model, given
the available information on uncertainties and the cost of data collection. With a hierarchy of
nodes and states defined, a BN, which represents the relationship among failure variables, can
be constructed.
The relationship depicted in any hierarchy structure is mapped onto the BN via its graphical
representation with edges connecting nodes at a particular level to those located one level
below. Even if the data available before modelling is scarce, the proposed model forces the
modeller to make implicit assumptions explicitly, hence decisions become transparent.
Furthermore, cost efficiency is taken into consideration in the early phases (IMO, 1997;
Norway, 2000).
The purpose of cost benefit analysis (CBA) is to compare the costs and benefits associated with
the implementation of safety measures. There are many papers carrying out safety assessment
using a formal safety assessment (FSA) method, in line with well-established cost-effective
criteria (IMO, 1997; Norway, 2000). This study applies BN techniques to analyse and verify
the relationships among cost and benefit factors in dry docking and undocking operations,
using expected cost factors, expected benefit factors, risk reduction factors, reference value
factors, and uncertainty factors (IMO, 1997; Norway, 2000).
This chapter presents findings of analysis of stability and pontoon deck failure in floating dry
dock docks, and the dry dock gate failure of graving docks. The examinations presented are:
(1) the cost effectiveness of a failure model of a large dry dock gate in Birkenhead graving
dock, UK, where the results of possible risk control options using fault tree-Bayesian network
(FT-BN) are revisited; (2) the cost-effectiveness of an accident model of a typical floating dry
dock pontoon failure due to transverse bending, whereby the outcome of using the fuzzy rule
base with belief degree and evidential reasoning presents possible risk control options to help
prevent future accidents of buckling failure of the deck (IMO, 1997; Norway, 2000).
193
The result of this failure/accident analysis model is safety risk measures categorisation. Lessons
learned from accidents are important for identifying weaknesses in the present system and
avoiding them in future (European Communities, 2001). For existing failure models, the
quantitative analysis for failure modes and cost-effectiveness analysis for safety measures are
not sufficient. As a response, an extended failure model analysis is constructed to seek failure
causes and propose cost-effective safety measures in this chapter. The benefits of applying BN
cost-effective measures are obtained where the findings provide great potential to improve the
strategic planning of docking and undocking operations, hence adopting more suitable
development activities related to risk.
This chapter is organised as follows: the problem is defined in Section 6.2. Section 6.3 provides
the safety measures review. Section 6.4 contains the cost-effectiveness analysis factors which
present how a BN can show relationships among cost, benefit, risk reduction, reference value
and uncertainty factors. Section 6.5 presents a framework of BN-based cost-effectiveness
relationship analysis. Section 6.6 provides the results and Section 6.7 is the conclusion and
further study. Figure 6.1 presents the flowchart of the development of this study.
Figure 6.1: Flow chart of the development of study
2. Problem definition
(Statement of Problem) 3. Safety measures review
(Accident and Data Reporting)
4. Cost-effectiveness analysis factors
(Evaluation criteria and Sub-criteria)
5. Bayesian cost-effective model framework
(Selection of Fundamental Risk Model)
Risk
Analysis and
Estimation 6. Results
7. Conclusion
1. Introduction
194
6.2 Problem Definition
6.2.1 Background problem
The risk control options and cost benefit analysis, of a high level Formal Safety Assessment
(FSA) pertaining to floating and graving dry docks according to the FSA guidelines issued by
IMO (IMO, 2002). In this stage different risk control options (RCOs) are identified to control
the major risks identified in the previous chapters. The RCOs are then assessed through cost
benefit analysis using the standard IMO procedures and criteria for cost effectiveness. The
assessment consists of three parts: (a) identification of relevant risk control options; (b)
estimation of risk reducing effect of identified RCOs; (b) evaluation of cost benefit of RCOs.
The results of previous tasks in Chapter 4, and 5 (risk analysis) are used in this of chapter risk
control options and cost benefit analysis, covering the final steps of the FSA process. The list
of prioritised hazards has been used as input for building risk models and for the identification
of appropriate risk control options.
Risk control option is Step 3 of FSA, it proposes effective and practical RCOs compromising
of the following stages: (1) focusing on risk areas needing control; (2) identifying potential
RCOs; (3) evaluating the effectiveness of the RCOs in reducing risk by re-evaluating Step 2
(risk analysis); (4) grouping RCOs into practical regulatory options. The objective of this
Chapter is to address points 1 - 4. The output from this step comprises: (a) a range of RCOs
which are to be assessed for their effectiveness in reducing risk, and; (b) a list of interested
entities affected by the identified RCOs.
Cost benefit assessment as described in MSC (2003) is to identify and compare the achieved
risk reduction and benefits with the costs associated with the implementation of each RCO
identified and defined in Step 3. A cost efficiency assessment following the IMO procedure
may consist of the following stages: (1) consider the risks assessed in Step 2 (risk analysis)
both in terms of frequency, consequence and failure consequence probability, in order to define
the base case in terms of risk levels of the situation under consideration; (2) arrange the RCOs
in a way to facilitate understanding of the costs and benefits resulting from the adoption of an
RCO; (3) estimate the pertinent costs and benefits for all RCOs by reassessing the risk
assuming the option under consideration is in place and comparing the risk level to the
established base case; (4) estimate and compare the cost effectiveness of each option, in terms
of the cost per unit risk reduction by dividing the net cost by the risk reduction achieved as a
result of implementing the option; and (5) rank the RCOs from a cost-efficiency perspective in
195
order to facilitate the decision-making recommendations in Step 5. There are several indices
used by IMO that express cost effectiveness in relation to safety of life and the environment in
the maritime industry are : Gross Cost of Averting a Fatality (GCAF) (eqn.6.1), and Net Cost
of Averting a Fatality (NCAF) (eqn.6.2).
GCAF = ∆C/∆Rs (6.1)
NCAF = ∆C-∆B/ ∆Rs (6.2)
Where, ∆C is the cost per floating/graving dock of the risk control option during the lifetime
of the system, ∆B is the economic benefit per floating/graving dry dock per ship resulting from
the implementation of the risk control option during the lifetime of the system (includes
environmental and property benefits), ∆R is risk reduction per floating/graving dock, in terms
of the number of fatalities averted (∆Rs). Concerning the analysis of cost effectiveness, its
criticism can be elaborated upon the following points. Firstly, because NCAF/GCAF imposes
the maximum cost of averting a fatality, one feels that the avoidance of a fatality, if such is
possible, should be done at all costs rather than having this cost fixed (Puisa and Vassalos,
2013).
In addition to this ethical dilemma, the continuous adjustment process of NCAF and GCAF
values makes their application troublesome. Hence, an ideal situation would be to avoid
imposing any maximum values at all or amend the approach by an alternative. Secondly, there
is a clear overlap between NCAF and GCAF criteria. Specially referring to the original
interpretation of the criteria in IMO (2003) page 56: (a) GCAF or NCAF- in principle, either
of the two criteria can be used. However, it is recommended to firstly consider GCAF instead
of NCAF. The reason is that NCAF also takes into account economic benefits from RCOs
under consideration. This may be misused in some cases for pushing certain RCOs rather than
other RCOs. If the cost-effectiveness of an RCO is in the range of the criterion, then NCAF
may be also considered (Puisa and Vassalos, 2013).
6.2.2 Cost-effectiveness analysis problem
Cost-effectiveness analysis is often used as the basis for evaluation of alternative safety
measures. In such an analysis, indices of the form ‘expected cost per expected number of lives
saved’ are calculated. This method does not explicitly set a value to the benefit, e.g. value of a
statistical life, as is required in a cost-benefit analysis. The cost-effectiveness analysis is a well-
established discipline (Reed et al., 2010). There is, however, a gap between the theoretical cost-
196
effectiveness analysis and the practical implementation of the tool as providing decision-
making support. Ideally, the decision-maker should have a number of methods at hand. Some
of these should be detailed and sophisticated and be used when a few safety measures are
compared and the consequences of unfavourable decisions are severe. On the other hand, a
simplified method to sort out some cost-effective measures for many alternatives in less
complicated studies or pre-studies before more sophisticated comparisons is required (Reed et
al., 2010).
Traditional cost-effectiveness indices such as expected cost per expected number of lives saved
provide useful insight, but, as pointed out by many analysts and researchers, cost-effectiveness
indices based on expected values are not sufficient for evaluating cost effectively. Uncertainty
must be considered beyond the cost-effectiveness indices. The main problem is that the
expected values are conditional on specific background knowledge, and expected values could
produce poor predictions (Reed et al., 2010). Surprises may occur, and by only addressing
expected values such surprises may be overlooked (Aven, 2007, 2008). A similar idea
underpinning these approaches is seen in risk governance framework (Renn 2008) and the risk
framework used by the UK Cabinet Office (Cabinet Office 2002).
6.2.3 A priori assessment problem
Many safety measure properties – availability, performance, security, and modifiability, to
name a few – share the elusive feature that while they are easy to define a posteriori, i.e. after
system implementation, such definitions give precious little guidance on how to ensure them a
priori, i.e. before safety measure implementation. For example, measuring the cost of change
of a system a posteriori is mere book-keeping (Franke et al., 2009), but assessing it beforehand
is a formidable task. Such assessment must be carried out by measuring variables available
prior to the modification (Franke et al., 2009).
A typical running cost with six key problems will be addressed in this chapter (Franke et al.,
2009): (1) the choice of a priori measurement quantity is the problem of finding a measure
(complexity) that correlates accurately with the sought a posteriori quantity (cost of change);
(2) definitional uncertainty must be handled since most concepts of safety measure can be
interpreted in many different ways; (3) measurement devices, which range from software tools
to expert estimates, are necessary and crucial instruments, but introduce further uncertainties;
(4) selection of appropriate scales affects precision and imposes constraints on which statistical
operations are permissible to be performed on the data; (5) discretisation of measurement
197
variables simplifies measurements and maps them onto the desired scales, but only at the cost
of lost accuracy; (6) the overall accuracy of the model must be weighed against the cost of
performing the measurement. Out of several models, the most cost-efficient one always ought
to be selected. Therefore, this chapter scrutinises a number of general problems related to
measurements of cost-effective-related decision-making activities. It has been argued that these
problems are not in general given sufficient thought when making decisions about how to
model software systems in failure/accident modelling in docking and undocking a vessel. The
risk safety measures used in this chapter provide ample proof of the concept regarding the
method proposed. However, due to somewhat laborious nature, care should be taken when
deciding how and when to model.
6.3 Safety Measures Review in Docking and Undocking Operations
6.3.1 Safety measures key information
The starting point for the suggested approach is the risk assessment process, as described in
standards relevant for risk management – see for example ISO 31000 (2008) and ASNZS4360
(2004). The key information for evaluating safety measures is: (1) information about safety
requirements in regulations; (2) alternative safety measures and their effects and cost; (3) risk
reduction effect; (4) information about uncertainty; (5) decision-makers’ reference value; and
(6) other factors like political issues, media focus, stakeholders’ preferences, etc. Attention is
paid to aspects 2-5 in the list: the effectiveness, cost, uncertainty, reference value and risk
reduction aspects. Aspect number 1 is not subject to the decision-making process in this study,
and, although number 6 certainly affects the decision-making process, it is not covered by the
cost-effectiveness model presented.
6.3.2 Risk safety measures for gate and pontoon deck failure
The main purpose of formal safety assessment is to rank accident causes, evaluate and control
the risks for docking and undocking success using an effective risk analysis tool. After
calculating the probability of accident, the appropriate risk control option is then implemented
using a cost effective analysis. The overview of this framework is presented in Figure 6.2.The
measurement of a docking operation is difficult because it may be changed by the docking
phase and decision makers involved. However, these docking criteria are generally measured
by time overrun, cost overrun, and technical performance (Baccarini and Archer, 2001;
Williams, 1993).
198
The two failure models studied in the previous chapter of this research are revisited. The first
(Study A) is the failure mode of a dry dock gate in Birkenhead, UK having 6 risk control
options (RCO), 8 risk safety measures (RSM) and 24 risk control measures (RCMs). One
accident model (Study B) is revisited as presented in chapter 5. This is the total loss of DN27
floating dry dock accident involving transverse bending failure of the pontoon consisting of 6
RCOs, 6 RSMs and 21 RCMs. RCOs are grouped into maintenance (Ma), awareness (A),
inspection (I), monitor (Mo), prevention (P), re-design (D), guidelines (G) and operations (O).
Figure 6.2: Formal safety assessment showing cost-benefit assessment
The output from the step of cost-benefit assessment is: (1) costs and benefits for each RCO
identified from an overview perspective; (2) costs and benefits for those interested entities
which are the most influenced by the problem in question and; (3) cost effectiveness expressed
in terms of suitable indices. The purpose of this study only point to 1 and 3 just described. The
risk safety measures for gate failure and pontoon deck failure are used as an input for cost
benefit assessment. The benefits are the avoidance of accidents and these can be measured by
evaluating the avoidance of harm to people, damage to property and environment, and other
Failure/Accident Analysis Model
Failure/Accident Analysis (FST, ER, FT and BN)
Safety Measure Establishment
Failure/Accident Analysis after
safety measure
Cost-Benefit Assessment
All safety
measures evaluated
Recommendations
End of dry docking operation
failure/accident analysis. End of
FSA
Analyse the dry docking accidents using FST,
ER,FT and BN
Propose the corresponding safety measures based
on the rank accident causes
Calculate the probability of dry docking accident
after implementing safety measure and evaluate
the effectiveness of safety measure
Carry out Cost-Benefit analysis using BN model
framework and crisp probability value
Rank the proposed safety measures based on risk
reduction and Cost-Benefit analysis
199
costs. Potential risk control options are: Operations (O) - (proper equipment), Awareness (A) -
(improved training, drills to respond to common incidents, special procedures for higher risk
evolutions, response plans, emergency plans), Preventive Maintenance (Ma) - (detailed
procedures), Monitor (Mo) - (enhanced surveys), Inspection (I) - (improved enhanced surveys),
Redesign (Rd) - (alarms, communication equipment, remote sensors, re-check lists for routine
evolution) (Lois et al., 2004). These are the six categories according to which the risk control
options (RCOs) are evaluated. Table 6.1 presents the RCO for the failure mode of a dry dock
gate in Birkenhead, UK.
Table 6.1 Risk safety measures for study A
RCOA RSM RCM
1) Maintenance on rolling rails (Mo)
1) Maintenance of towing system 2) Maintenance on rollers (Mo)
1. Maintenance 3) Maintenance on system failure (Mo)
2) Improve awareness on preventing any buoyancy in upper
chamber
4) Maintenance on air chamber (O)
5) Check stability issues (O)
3) Constantly controlling an even draught 6) Maintenance on flap wires (Mo)
2. Awareness 7) Maintenance on ballast tanks (Ma)
8) Maintenance on wires (Ma)
4) Improve structural inspection on structural elements 9) Maintenance of floors (Ma)
3. Inspection 10) Maintenance of walls (Ma)
11) Maintenance on handrail (Ma)
5) Monitor loads from water pressure-rolling of recess 12) Maintenance on ladder (Ma)
4. Monitor 13) Prepare against increased sea state (O)
14) Prepare against high tides (A)
6) Maintenance on gate water tightness 15) Prepare against hurricane (A)
16) Increase inspection on the rubber L-shape (I)
5. Prevention 17) Improve strength on sea state effect (A)
7) Preventing failure of control system 18) Improve strength against hurricane (P)
19) Check water level (O)
6. Operations 20) Check control system (Mo)
21) Improve undetactability (P)
8) Tank Operations issues 22) Inspection on trimming tanks (I)
23) Improve maintenance on scuttle tanks (Ma)
24) Improve scrum tank inspection (I)
The expected output of this assessment is to identify cost and benefit for gate failure and
pontoon deck failure from an overview perspective. The purpose of identifying risk control
options is to propose an effective way of minimising high risks identified from the information
produced in the risk assessment.
The identification of RCOs can have the following attributes: (1) those relating to the
fundamental type of risk reduction (i.e. preventative or mitigating); (2) those relating to the
200
type of action required and therefore to the cost of the action (i.e. the engineering procedural);
(3) those relating to the confidence that can be placed in the measure (i.e. active or passive and
single or redundant). The practical RCOs’ action can be determined by repeating risk analyses
and comparing the results to the original case (Lois et al., 2004). Table 6.2 presents the total
loss of DN27 floating dry dock accident involving transverse bending failure of the pontoon
consisting of 6 RCOs, 6 RSMs and 21 RCMs. RCOs are grouped into maintenance (Ma),
awareness (A), inspection (I), monitor (Mo), prevention (P), re-design (D), guidelines (G) and
operations (O).
Table 6.2: Risk safety measures for study B
RCOC RSM RCM
1. Awareness 1) Avoid a priori experience assumptions (A)
1) Improve knowledge on wing wall shear force 2) Check load landing effects (Mo)
3) Improve divers’ skills (A)
4) Check increased buoyancy inspection (I)
2) Inspect keel blocks load 5) Check no ship on tank effect (O)
2. Inspection 6) Check high load (Mo)
7) Check design limit (Re)
3) Monitor and inspect deflection of dock longitudinally 8) Proper calculations on loads on blocks (G)
9) Double-check dock rating (G)
3. Monitor 10) Longitudinal deflection measuring follow-up (I)
11) Transverse stress measuring improvement (Mo)
4) Inspect pontoon decks for bend-up around keel 12) Check buoyancy capacity (A)
13) Check block loads (A)
4. Operations 13) Inspection on buoyancy tank load (I)
15) Check concentrated tank load (Mo)
16) Check buoyancy over pontoon deck (O)
5. Guidelines 5) Guidelines’ improvement on allowable transverse bending 17) Improve verification scheme (Mo)
18) Improve periodic maintenance (M)
19) Maintenance on gate water tightness (M)
6. Redesign 20) Improve ultrasonic measurement (I)
21) Inspection on corrosion attack (I)
6.3.3 Risk control and risk re-assessment result
After the main failure or accident causes are discerned for studies A, and B, in Section 4.3.1,
and Section 5.3.2 respectively, the corresponding RCOs are presented. In order to evaluate the
effectiveness of the proposed safety measures, the reduction of accident probability after
implementing every safety measure is calculated using the posterior inference of BN and fault
tree analysis for the corresponding failure/accident model. Risk items which affect docking
operations performance are measured by a sensitivity analysis in BN (study A) and fault tree
201
(studies B). Important risk items with respect to identified RCOs that should be controlled are
identified. After the risk items to be controlled are identified, the extents to which the
probabilities of undocking operational performance risk are subjected with the relative change
in various degrees of RCO implementation (Lee et al., 2009). To achieve a balance, the benefit
of a RCO must be considered and compared to the cost of its implementation. The cost benefit
BN model compares estimated levels of risk against the pre-established criteria and considers
the balance between potential benefits. This enables decisions to be made about the extent and
nature of treatments required and about priorities (ASNZS4360, 2004).
6.4 Cost-Effectiveness Analysis Factors
In the evaluation of safety measures a cost-effectiveness analysis may be adopted. A cost-
effectiveness analysis compares the costs and the effects of a decision alternative, where the
cost is measured in monetary terms and the effects are measured in natural units, such as lives
saved (Boardman et al., 2006, Baron, 2000 and Petitti, 2000). Other important factors
considered in the cost-effectiveness frameworks are: the reference values (Reed et al., 2010),
the risk reduction effects (Wang et al., 2012) and uncertainty (Reed et al., 2010).
Upon proposing various safety measures, the next step is to carry out cost-benefit analysis
(CBA) on each safety measure. CBA aims to rank different safety measures by identifying the
benefits from accident prevention and the cost associated with safety measures. The evaluation
of costs, benefits and other factors may be conducted using various techniques (IMO, 2007).
However, due to unavailability of reliable data, these factors are very difficult to assess in an
exact manner (IMO, 2007).
Safety experts as well as decision-makers often like to use linguistic variables to estimate costs,
benefits and other associated factors affecting CBA incurred in safety improvements. Under
such considerations, it may be more appropriate to estimate using ranking nodes in a BN, where
the BN allows for experts to express their subjective judgements (Wang et al., 2013). When
applying the proposed cost-effective BN framework, the following activities should be carried
out (Reed et al., 2010) : (1) identify initiating events based on a facilitated brainstorming
process supported by a checklist and comprehensive literature review in undocking and
docking a vessel in graving/floating dry dock; (2) describe the potential consequences and
associated probabilities for each initiating event; (3) categorise the potential consequences and
associated probabilities by use of a qualitative or a semi-quantitative approach; (4) identify
potential safety measures for initiating events.
202
A similar method has been used several times in risk analyses in this research. The initial part
of this research is the risk assessment process carried out in a workshop where experts on the
failure/accident model in floating/graving dock system participated, and the information
gathered in the workshop was subsequently refined by the risk analyst for cost-effectiveness
analysis. The factors affecting the cost effectiveness model are presented in Figure 6.3.
Figure 6.3: Factors affecting cost-effectiveness
6.4.1 Expected cost
As for the expected cost, it is common to use expected values for the cost dimension.
Predictions of cost for implementing and operating safety measures can be calculated as several
levels of detail. Examples of cost prediction categorisation (in £): very low < 10.000: low ≥
10.000 and < 100.000: medium ≥ 100.000 and < 500.000: high ≥ 500.000 <1.000.000: and very
high: > 1.000.000 (Reed et al., 2009). All cost categories are covered in the assessment
including, capital, appraisal, failure, operational, maintenance, training, administrative, formal
safety assessment cost, cost of result accuracy, etc. (Lois et al., 2004). For example, prevention
cost is the cost of preventing failures, whilst failure cost is cost incurred as a result of scrap,
rework, and failure. Appraisal cost is cost of measurement.
6.4.2 Evaluation of expected benefits
To find the expected benefit, the implementation can be done by paying attention to the
expected risk reducing effect. For each risk reducing measure, the expected risk reducing effect
should be given a qualitative assessment and description, and then be categorised according to
the assigned expected risk reducing effect. Emphasis should be on the description of physical
matters. Some answers may need the support of quantitative studies. The categorisation process
should be based on some criteria to ensure consistency. What categories need to be applied
Identification of potential safety measures
Evaluation and
categorization of
expected cost for
each safety measure
Evaluation and
categorization of
expected benefit for
each safety measure
Evaluation and
categorization of expected
risk reducing effect for
each safety measure
Evaluation and
categorization of
reference value for
each safety measure
Evaluation and
categorization of the
uncertainty each
safety measure
Categorization of cost-effectiveness for each safety measures
Decision
203
depends on the level of detail of the analysis. In this study, the five categories used for expected
benefit are: very low = no benefit from reduced risk, low = small benefit from reduced risk,
medium = medium benefit from reduced risk, high = high benefit from reduced risk, and very
high = very high benefit from reduced risk (Lois et al., 2004). In the categorisation process,
both the initial risk picture determined in the risk assessment and the expected risk reducing
effect given the initiating event have to be considered (Reed et al., 2009).
6.4.3 Evaluation of expected risk reducing effect
A coarse evaluation of the risk reducing effect for each safety measure needs to be considered.
It is also called the risk reduction after implementation of safety measure. It should be noted
that in this factor the risk reducing effect (RREi) is not measured as the product of probability
and consequence, but is calculated in terms of reduction in the expected number of fatalities
once a specific safety measure is implemented. This implies that, at least for the moment, only
consequences incurring fatalities are considered. The risk reducing effect is calculated by:
∆ RREi = ∆Pf . Cf (6.3)
Where, ∆ RREi is risk reduction effect [fatalities year-1], ∆Pf is reduction of accident probability
after adopting safety measure [year -1], and Cf is the accident consequence [fatalities]. The
linguistic scale can be used to estimate the accident consequence (Wang et al., 2013).
6.4.4 Reference value for each safety measure
The results of a cost-effectiveness analysis may be expressed in two main ways: either as a
cost-effectiveness ratio or as an effectiveness-cost ratio. The review and discussion of the cost-
effectiveness analysis that follows focuses on the cost-effectiveness ratio, which is by far the
more commonly used ratio. The reference value (Ri) clarifies how much money the decision-
maker (DM) is willing to pay to obtain one unit of effectiveness. Implementation of the safety
measure is preferred to status quo if the decision-maker is willing to pay more to obtain one
unit of effectiveness than the cost-effectiveness index expresses, which means that safety
measure 1 is preferred to status quo if R is considered (Reed et al., 2009).
6.4.5 Uncertainty effects for each safety measure
Valuable insight is provided through cost-effectiveness indices, but there is a need for a broader
consideration of uncertainties, as discussed in Abrahamsen et al. (2004) and Aven (2008). The
main argument is that the expected values are conditional background knowledge, and may
204
produce poor predictions. The background knowledge includes historical system
performances, system performance characteristics and knowledge about the systems in
question. Assumptions are an important part of this knowledge. A result is that a true objective
expectation value does not exist due to these uncertainties (Ui) (Reed et al., 2009). Uncertainty
may be regarded as the values predictability of the real outcomes. High uncertainty may
indicate that the expected risk reduction effect can give a poor prediction of the real risk
reducing effect. The uncertainty categorisation should be based on some criteria to ensure
consistency (Reed et al., 2009).
Three categories are used for the uncertainty dimension: Low uncertainty, all the following
conditions are met - The phenomena involved are well understood, the models used are known
to give predictions with accuracy- The assumptions made are seen as very reasonable- Much
relevant and reliable data and/or experience are available - There is broad agreement among
experts. For the uncertainty dimension: High uncertainty, one or more of the following
conditions are met- The phenomena involved are not well understood - The assumptions made
represent strong simplifications-Data and/or experiences are unreliable - There is lack of
agreement/consensus among experts. For the uncertainty dimension: Medium uncertainty, (i.e.
conditions between high and low uncertainty e.g. - The phenomena involved are well
understood, but the models used are too simple- Some reliable data and/or experience are
available. The degree of uncertainty must be seen in relation to the effect/influence the
uncertainty has on the predicted values. For example, a high degree of uncertainty combined
with high effect/influence on the predicted values will lead to a conclusion that the uncertainty
factor is high.
6.4.6 Ranking of safety measures for decision making
After the cost-effective analysis factors of each safety measure are assessed, the outputs should
be combined to provide the overall assessment for the safety measures. The expected cost,
expected benefit, risk reducing effect, preference values, and uncertainty of the ith safety
measure can be evaluated using the crisp probability value (CPV) to rank the output safety
measures in preference degree using the seven (7) safety states (See section 5.5.6).
6.4.7 Advantage of Bayesian network-based cost-effectiveness
Bayesian network techniques are a kind of powerful knowledge representation and reasoning
tool under conditions of cost-related uncertainty with various domain expert background. In a
205
practical application, the nodes of a BN represent uncertainty factors, and the arcs are the causal
or influential links between these factors. The association with each node is a set of conditional
probability distribution (CPD) that models the uncertainty relationships between each node and
its parent nodes. Many applications have also proven that Bayesian network is an extremely
powerful technique for reasoning the relationship among a number of variables under
uncertainty (Lu et al., 2009).
Compared with other inference analysis approaches for cost effectiveness analysis, BN
techniques have four main advanced features in applications. Firstly, all the parameters in the
BN have an understandable semantic interpretation (Mylly-maki, 2002). This feature helps
users construct a BN directly by using their domain knowledge. Secondly, BN techniques have
the ability to learn a relationship among its related variables. This not only allows users to
observe the relationships among its variables easily, but also can handle some missing data
issues (Heckerman, 1997).
Thirdly, BN techniques can conduct inference inversely; i.e. BN can conduct bi-direction
inference. The fourth advanced feature is that BN techniques can combine a priori information
with current knowledge to conduct inference as it has both causal and probabilistic semantics
in cost-effectiveness analysis. These features will guarantee that using Bayesian networks is a
good way to verify those initially identified uncertainty relationships between cost, benefit, risk
reduction effect, reference value, and uncertainty factors in the formal safety assessment in
docking and undocking a vessel in graving and floating dry docks.
6.5 Cost-Effective Bayesian Network Framework
In general, there are three main steps when applying Bayesian network techniques for cost
effectiveness analysis and setting effective relationships for a practical problem: (1) creating a
graphical BN structure for the problem, (2) calculating related conditional probabilities to
establish a BN, and (3) using the established BN to conduct inference for finding possible
relations among these factor nodes of the BN. The following sub-sections will describe the
three steps in detail.
6.5.1 Creating a graphical structure for cost-effectiveness factor relationships
A graphical BN structure of cost-effectiveness factors’ relationships can be created by linking
nodes in the structure using lines. These lines in the graphical BN structure express the
significant effect relationships between cost-effectiveness factors’ nodes. These nodes and
206
relationships shown in Figure 6.4 are considered as a result obtained from domain safety
experts (E) and domain decision-makers’ (DM) knowledge. In order to test these established
relationships, structural learning is needed to improve the BN by using collected real data from
docking and undocking operations. The factors discussed in section 6.4 are therefore used to
complete the structured learning of the BN. The BN has 31 nodes and 30 links, and will be
used for Bayesian rule-based inference for cost-effectiveness analysis. One BN is constructed
by structural and parameter learning, using AgenaRisk (2013) desktop decision support
software.
The Bayesian cost-effectiveness framework consists of the node expect cost (Ci) with five
experts’ (E1, E2, E3, E4 and E5) input, the node expected benefit (Bi) five experts’ (E1_1,
E2_1, E3_1, E4_1, and E5_1) input, the node risk reduction effect (RREi) with inputs A%, B%,
C%, D%, and F% which signify a 15%, 25%, 50%, 60%, and 85% risk safety measure
reduction respectively, the node reference value (RVi) with five decision-makers’ (DM1, DM2,
DM3, DM4, and DM5) inputs, and the node uncertainty (Ui) with five experts’ (E1_2, E2_2,
E3_2, E4_2 and E5_2) inputs. This model is used to obtain the output net expected benefit for
each risk safety measure, for ranking purposes.
Figure 6.4: Cost-effective BN framework
207
6.5.2 Calculating the conditional probability distributions
Now let X= (X0,…….,Xm) be a node set, and Xi (i=0,1….m) be a discrete node (variable) in a
Bayesian network B (m = 31) as shown in Figure 7.4. The CPD for the node Xi is defined as
βBxiPA = P(Xi=xiPai = pai) (Heckerman, 1996), where Pai is the parent set of the node Xi,
pai, is a configuration (a set of values) for the parent set Pai of Xi and xi is a value that Xi takes.
Based on data collected in surveys, the CPDs of all nodes shown in Figure 7.4 can be calculated.
Before using the BN to conduct inference, learning and establishing the parameters βBxipai
from the data collected should be completed.
In general, the easiest way to estimate the parameters βBxipai is to use frequency. However, as
the size of the data used in this study is not very large, using a frequency method may be not
very effective (Lu et al., 2000). BN is a probabilistic graphical model that represents a set of
random variables and their conditional independencies via a directed acyclic graph (DAG)
(Detcher and Mateescu, 2004). Conditional probability table (CPT) elicitation is a complicated
issue due to a large number of judgements required to quantify the relationships of the BN
(Rajabally et al., 2004).
Wang et al. (2012) also proposed the use of Analytic Hierarchy Process (AHP) and the
decomposition method to estimate the CPT for BN nodes. Suppose that a node X (with k states
x1, x2,……xk) has n parents ( T(1), T(2),…. T(n)). The determination of the conditional distribution
P(X = xiT(1), T(2),…. T(n)) for all possible state combinations of the parents is a complicated
process, especially when n is large or when each parent has a large number of states. Using the
decomposition method means the conditional probability with each of the n parents can be
calculated separately and then combined, while keeping a close look at the normalisation
constant ‘α’ to ensure ∑ P(X = xiT(1), T(2),…. T(n)) = 1. This study, however, proposes the use
of ranking nodes with experts’ judgements expressed with WeightedMin truncated distribution.
Fenton et al. (2007) suggested that ranked nodes represent discrete variables whose states are
expressed on an ordinal scale that can be mapped onto a bounded numerical scale that is
monotonically ordered with an underlying unit interval, [0,1]. As far as the user is concerned
the underlying numeric scale is invisible – the displayed scale is still the labelled one rather
than the numeric one, but the latter is used for the purposes of computation (a priori
probabilities) and generating CPT.
208
The crucial thing about the ranked nodes is that they can make the BN construction and editing
task much simpler than otherwise possible. By defining nodes as ranked nodes, it is possible to
define the CPTs that satisfy the criteria described. As already indicated in section 4.7.3 (ranking
nodes in BN), when a node is specified as a ranked node then, no matter how many states a
node has, there is an assumption that there is an underlying numerical scale that goes from 0 to
1 in equal intervals. The 5 and 3 mapping scale and underlying numeric ranking is presented
in Table 6.3 and Table 6.4. Users of BN never have to construct the mappings. All they need
to know is that, irrespective of the linguistic descriptions of the states, the underlying model is
working with a numerical scale.
Because it is a numerical scale, the numerical statistical distribution can be defined, and one
especially useful distribution is truncated normal (TNormal) and weighted min function
(WMIN) (see section 4.7.5) which can be used to generate CPTs, rather than the Normal
distribution commonly assumed in linear regression for ranked causal nodes, the doubly
truncated Normal distribution (denoted TNormal hereafter) as defined, for example in Cozman
and Krotkov (1997), where all nodes are truncated in the [0,1] region. Unlike the regular
Normal distribution (which must be in the range –infinity to +infinity) the TNormal has finite
end points, denoted by TNormal (µ,ⱷ2, 0,1) where µ is the mean and ⱷ2 is the variance.
The priori ranking for E1-E5 is a 5 mapping ranked scaled and a variance ⱷ2 = 0.2 and the
weights of the experts are E1= 0.1, E2 = 0.2, E3 = 0.4, E4= 0.4 and E5 = 0.5. The nodes E1_1
= 0.1, E1_2 = 0.2, E1_3 = 0.4, E1_4 = 0.4 E1_5 = 0.5 have a variance ⱷ2 = 0.01. The nodes
A%, B%, C%, D% and F% have the same weights. The five parent nodes DM, have the
following weights DM1= 0.2, DM2= 0.2, DM3= 0.3, DM4= 0.4, DM5=0.5 and variance ⱷ2 =
0.002. The parent nodes E1_1 are ranked on 3 points mapped with weights E1_1= 0.1, E2_1 =
0.2, E3_1 = 0.3, E4_1 = 0.3, E5_4 = 0.5.
Table 6.3: Five (5) scale mapping Table 6.4: Three (3) scale mapping
After the prior distributions are determined, the Bayesian network also requires calculation of
the posterior distributions of child nodes βBxipai. To conduct this calculation, this study
Low [0,0.333)
Medium [0.333,0.666)
High [0.6666,1)
Very low [0,0.2), the range 0 to 0.2
Low [0.2,0.4), the range 0.2 to 0.4
Medium [0.4,0.6), the range 0.4 to 0.6
High [0.6,0.8), the range 0.6 to 0.8
Very high [0.8,1), the range to 1
209
assumes that the state of each node can be one of the five values: very low, low, medium, high,
and very high, or it can be one of the three values: low, medium and high. Next, a weighted
min function, WMIN, is used in the following general form:
WMIN = min𝑖 = 1…..𝑛
wiXi + ∑ Xj n
i≠j
wi + (n-1) (6.4)
Where wi ≥ 0 and n is the number of parents nodes, with a suitable variance ⱷY2 that quantifies
our uncertainty about the result thus giving: p(Y/X) = TNormal [WMIN(X), ⱷ2,0,1]. Thus,
WMIN function can be viewed as a generalised version of the normal MIN function. In fact, if
all the weights wi are large then WMIN is close to MIN. At the other extreme, if all the weights
wi =1, then WMIN is simply the average of the Xis. In this case the experts (E) and the decision-
maker (DM) need only supply the parameter to both generate the CDP. According to Fenton et
al. (2009) these sets of functions have been sufficient to generate almost the entire ranked node
NPTs elicited in practice.
The CDPs of the cost effective Bayesian framework are: P (expected cost_ E1 0.1, E2 0.2, E3
0.4, E4 0.4 and E5 0.5) and has a variance ⱷY2 0.01 that quantifies our uncertainty in a ‘five
ranked nodes’: P (expected benefit_ E1_1 = 0.1, E1_2 = 0.2, E1_3 = 0.4, E1_4 = 0.5) with a
variance ⱷY2 0.01 that quantifies our uncertainty ranked in a five scale: P (risk reduction effect_
A%, B%, C%, D% and F% have the same weights) with a variance ⱷY2 0.03 that quantifies our
uncertainty ranked in a three scale; P (reference value_ DM1= 0.2, DM2= 0.2, DM3= 0.3,
DM4= 0.4, DM5=0.5) with variance ⱷY2 0.09 that quantifies our uncertainty ranked in a three
scale; P ( uncertatinty_E1_1= 0.1, E2_1 = 0.2, E3_1 = 0.3, E4_1 = 0.3, E5_4 = 0.5) with
variance ⱷY2 0.09 that quantifies our uncertainty ranked in a three scale. The CPD P (net
expected benefit_expected cost = 0.1, expected benefit = 0.2, risk reduction effect = 0.3,
reference value = 0.2, and uncertainty = 0.1) with variance ⱷY2 0.08 quantifies our uncertainty
ranked in a seven scale.
6.5.3 Inference
Having created a cost-effective factor relation BN with both its structure and all conditional
probabilities defined for its nodes, it can be used to conduct inference among the relationships
identified. The inference process can be handled by fixing the states of observed variables, and
then propagating the beliefs around the network until all the beliefs (in the form of conditional
probabilities) are consistent. Finally, the desired probability distributions can be shown in the
210
network (Lu et al., 2009). There are a number of algorithms used to conduct inference in BNs,
which have different trade-offs between speed, complexity, generality, and accuracy.
The junction-tree algorithm produced by Lauriziten and Spiegelhlater (1988) is one of the most
popular algorithms which uses an auxiliary data structure called a junction tree, and computes
deep analysis of the connections between graph theory and probability theory, have a limitation
such as joint distribution for each maximum clique in a decomposable graph where the
initialisation and the process of message passing may miss some important information
(Lauriziten & Spiegelhlater, 1988). Good tool support is therefore needed; both for the purpose
of building realistic CPTs that adequately capture expert judgement and ranked nodes.
The normalised data can be dealt with by various computerised packages. The AgenaRisk
software satisfies the requirements of enabling domain and decision-makers without any
statistical knowledge to quickly generate distribution, and provides instant visual feedback to
check that the CPTs are working as expected. In the process of inference, this allows experts
and decision-makers to continually backtrack between previously estimated values and current
values of both variance and expert weights in cases that were felt to be similar. Once the CPT
is completed the experts could examine the sensitivity of results by running the model with a
click of the mouse. The expectation of the resulting marginal distribution for net expected
benefits would be monotonic and smooth given the influence factors of expected cost, expected
benefit, risk reduction effects, reference value and uncertainty.
6.5.4 Net expected benefit crisp probability value
The resultant node, net expected benefit output is ranked in a 7 scale: lowest, very low, low,
medium, high, very high, highest as presented in Table 6.5. This table shows its corresponding
membership which can be used to obtain the crisp probability value (CPV) used in categorising
the risk safety measures using equation 6.5.
Table 6.5: Membership function for crisp probability value
1 2 3 4 5 6 7
VP 0 0 0 0 0 0.75 1
P 0 0 0 0 0.75 1 0.25
RP 0 0 0 0.75 1 0.25 0
AV 0 0 0.5 1 0.5 0 0
RG 0 0.25 1 0.75 0 0 0
G 0.25 1 0.75 0 0 0 0
E 1 0.75 0 0 0 0 0
211
P1 = P71/P1
1, P2 = P61/P1
1, P3 = P51/P1
1, P4 = P41/P1
1, P5 = P31/P1
1, P6 = P21/P1
1, P7 = P1
P11 = [0.75 (0.75+1)]6 + [1(0.75+1)]7 = 6.571, P2
1 = [0.75 (0.75+1+0.25)]5 +
[1(0.75+1+0.25)]6 + [0.25(0.75+1+0.25)]7 = 5.75, P31 = [0.75 (0.75+1+0.25)]4 +
[1(0.75+1+0.25)]5 + [0.25(0.75+1+0.25)]6 = 4.75, P41 = [0.5(0.5+0.5+1)]3 + [1(0.5+0.5+1]4
+ [0.5(0.5+0.5+1]5 = 4, P51 = [0.25 (0.25+1+0.75)]2 + [1(0.25+1+0.75)]3 +
[0.75(0.25+1+0.75)]4 = 3.25, P61 = [0.25 (0.25+1+0.75)]1 + [1(0.25+1+0.75)]2 +
[0.75(0.25+1+0.75)]3 = 2.25, P71 = [1 (1+0.75)]1 + [0.75(1+0.75)]2 = 1.428
Q = 0.217T1 + 0.248T2 + 0.301T3 + 0.357T4 + 0.439T5 + 0.634T6 + 1T7 (6.5)
6.6 Results
Table 6.6: Truth table for risk control options for studies A and B obtained from experts
RCOA
1 RCOA
2 RCOA
3 RCOA
4 RCOA
5 RCOA
6 RCOB
1 RCOB
2 RCOB
3 RCOB
4 RCOB
5 RCOB
6 E1 M M VH M H H E1 L VH M L H M E2 VL M VH H H VH E2 M VH H M H VH E3 VH H H H M H E3 L H H VH H VH E4 M M L L VH H E4 M H H H H H E5 M L M M H M E5 M H M L H VH E1_1 VL M M M M VH E1_1 VH H M H VH M E2_1 M L L M H H E2_1 VH H VH H VH M E3_1 H L L H H H E3_1 VH H VH H H M E4_1 M VH VH VH H M E4_1 VH VH VH H M H E5_1 H H H M H H E5_1 VH VH H H M H A% L M M L L L A% L L L L M M B% L H H L L M B% M L L M L L C% L L L L M M C% L L L L L L D% L H H H H H D% L L M M L L F% M H M H L H F% M L M L L L DM1 M M M M H M DM1 L M M H M H DM2 L H H M H H DM2 M H M H H H DM3 L L L L H H DM3 H H H H H M DM4 H H H L H H DM4 H H H H H H DM5 L H H H H M DM5 H H H H H H E1_2 L M M M M L E1_2 M L L M L M E2_2 M M M L M L E2_2 M L M M L M E3_2 M L L L H L E3_2 M L L L L L E4_2 L M M L L L E4_2 M L L L L L E5_2 M M M M M L E5_2 L L H L M L
RCOs subjective assessment obtained from experts
opinions and decision maker reference value under
uncertainty. Five experts and five decision makers are
consulted to obtain truth table. The results from risk
reduction effect using fault tree analysis (A%, B%, C%,
D%, and F%) are also presented.
212
6.6.1 Running model
Using AgenaRisk desktop 2013, the truth table obtained from participating experts and
corresponding decision maker for each RCOs are depicted in Table 6.7 and Table 6.8.
Table 6.7: Result for study A Lowest % V low % Low % Medium % High % V High % Highest % CPV% Result No
RCOA1 3.017 11.449 24.474 29.922 20.967 8.332 1.839 1.822 R1
RCOA2 2.816 11.027 24.133 30.034 21.385 8.653 1.953 1.676 R2
RCOA3 0 5.21 16.03 28.143 28.325 16.197 5.144 0.495 R3
RCOA4 0 3.377 12.472 26.039 30.622 19.957 7.022 0.373 R4
RCOA5 0 3.377 12.472 26.039 30.622 19.957 7.022 0.377 R5
RCOA6 0 4.106 13.908 26.942 29.752 18.409 6.196 0.415 R6
Table 6.8: Results for study B
Lowest % V low % Low % Medium % High % V High % Highest % CPV% Result No
RCOB1 0 5.122 16.486 29.041 28.403 15.466 4.63 0.536 R7
RCOB2 0 3.877 13.929 27.773 30.417 17.903 5.506 0.447 R8
RCOB3 0 3.528 12.918 26.463 30.425 19.417 6.716 0.389 R9
RCOB4 1.074 5.853 17.533 29.351 27.605 14.458 4.126 0.816 R10
RCOB5 1.016 5.564 17.004 29.238 28.115 14.856 4.208 0.792 R11
RCOB6 0 4.753 15.615 28.743 29.254 16.126 4.697 0.509 R12
A graphical representation of result No. 2 is presented in Figure 6.5. The results for Study A
are presented in Appendix 7. Results No. R7-R12 for Study B are represented in Appendix 7.
Figure 6.5: Net expected benefit of implementing RCOA2, Result No. 2
213
6.6.2 Categorisation of cost-effectiveness of each safety measure
The cost-effectiveness of the safety measure can be effectively categorised in the following
order for decision making, RCOA: RCOA1, RCOA2, RCOA3, RCOA6, RCOB5, & RCOA4
and, RCOB: RCOB4, RCOB5, RCOB1, RCOB6, RCOB2 & RCOB3.
6.6.3 Parameter sensitivity analysis
Parameter sensitivity analysis is completed to show how sensitive the results of a belief update
(propagation of evidence) are in variations in the values of a parameter in the model. The
parameters of a model are the entries of the conditional probability distributions. Using the
sensitivity analysis wizard in AgenaRisk Desktop as presented in Figure 6.6 showing the node,
net expected benefit is set as target node.
Figure 6.6: Target node and sensitive node selection
6.6.4 Result analysis
Over all the inference results obtained through running the TNormal distribution with ranked
nodes, twelve (12) main significant results (Net expected benefit result 1-12) are particularly
used to categorise the cost-effectiveness of each safety measure. The next results’ analyses
(Results 9 and 1) are particularly discussed. These results are under the evidences that the
‘target node’ is with either ‘high’ or ‘low’ value. For the other situations such as under the
evidence that the node is ‘low’, similar results have been obtained.
Result 9. Assuming that the net expected benefit for RCOB3 is highest, we obtained the
probabilities of the other factor nodes under the evidence. The result is shown in Figure 6.7 for
further explanation. We can find that when the value of RCOB3 NEB is ‘highest’ the
214
probability of expected cost (Ci) is the highest impacted. This indicates that if the company’s
net expected benefit is high, it is highly due to its level of influence on expected cost (Ci). It is
also shown that the probability of a risk reduction effect (RREi) is the second most important
criterion to consider when implementing safety measure RCOB3. These results mean that a
company’s high investment in both expected cost (Ci) and risk reduction effect (RREi) will
bring the highest significant enhancement of the implementation of safety measure RCOB3.
This is true as shown in Figure 6.7 for low implementation of safety measure RCOB3.
Figure 6.7: Sensitivity analysis using RCOB3
Result 20. When RCOA1 net expected benefit is highest, we can obtain the probabilities of the
other nodes under evidence (Figure 6.8). Figure 6.8 shows the effect of expected cost as highest
with probabilities ‘0.051’ low and ‘0.26’ high. This suggests that high investment on expected
cost affects the net benefit the most as required. The second most important factor is improving
on expected benefit. Uncertainty and the reference values affect the net expected benefit the
least.
Figure 6.8: Sensitivity analysis using RCO4A
215
6.7 Conclusion
One of the most important challenges in building effective BN models to solve real-world cost-
effective analysis problems is that of constructing the CTPs. Because of the need to involve
busy domain experts and decision-makers (who do not necessarily understand probability
theory in detail), it is required to construct the CTPs using the minimal amount of expert
elicitation, recognising that it is rarely cost-effective or feasible to elicit complete sets of
probabilities values. In the past, other modelling approaches for real applications have been too
costly and demanding feasibility. This approach marks an improvement over current practice
and has proven to be acceptable to practitioners in other fields.
On a second level, partners and decision-makers need models to produce predictions and
supportive decision insights that can demonstrate better results than from methods that require
detailed statistical understanding. Also, since this approach has been used in a number of
application areas such as for operational risk assessment (Fenton et al., 2007, these results show
that the elicitation burden is much reduced by using ranked nodes by simply eliciting a small
number of parameters from experts and decision-makers.
On a third level, by applying Bayesian network techniques this study explored and verified a
set of relations between cost factors, benefit factors, reference factors, risk reduction effect
factors, and uncertainty factors in the application of decision making in docking and undocking
ship operation. A cost-benefit factor relation model proposed in this study was considered as
domain knowledge and the data collected through a literature survey was evidence to conduct
the inference-based verification. Through calculating the node probabilities table (NPT) of
these factors, it was found that certain cost factors are more important than others to achieve
certain aspects of benefits in relation to reference, risk reduction effect and uncertainty factors:
(1) Compared with other risk safety measures in Study A, increased investments in
implementing RCOA1 would significantly contribute to three benefit aspects of reducing
stability failure in floating dry dock during docking and undocking a vessel, hence
improving a company’s image and competitive advantage.
(2) Compared with other cost items in Study B, the increased investment in implementing risk
safety measure RCOB1 would significantly help reduce the failures of a dry dock gate in
docking and undocking a vessel in a graving dry dock,
216
(3) Compared with other cost items in C, the increased investment of implementing risk safety
measure RCOB4 would greatly reduce the probability of total loss of a floating dry dock
due to pontoon deck failure, hence building cooperation with other companies.
(4) Comparing the relations of safety factors more is required to be done in improving
awareness importance of benefit factors. Depending on the RCO under study, the ranking
of impact factor provides the least important factor to be taken into consideration when
making decisions. For example, using RCOB1, decision-makers should pay more attention
to improving benefits and pay less attention to reference value factor and uncertainty factor,
while using RCOB3 recommendation for decision making should be to improve the risk
reduction effect and to pay less attention to the reference value and uncertainty factors.
Based on these findings, if a dry docking company plans to improve the perceived company
image through one of the following operations, it would be appropriate for the company to
have considerable investments when implementing these risk safety measures as categorised
in this study. Therefore, these will provide a great practical recommendation for managers in
dry docking operations when they develop risk assessment strategies to reduce identified
failures, thereby enhancing system functionality and increasing the benefits of docking a vessel
for repair in both floating and graving dry docks.
217
Chapter 7 – Integration of PhD Chapters
Summary
This chapter briefly summarises the risk assessment and decision-making approaches
presented in the previous chapters that would be of benefit in the safety of a ship-docking
operation and management system. In summary, it is concluded that the developed models can
be integrated to formulate a platform to facilitate risk assessment and decision making.
7.1 Dry Docking Formal Safety Assessment Management
The FSA management process in dry dock is an enhancement of the traditional safety
management process in that the three fundamental components – surveillance, periodic dry
dock safety reviews, and maintenance procedures – are central to the procedure. Together they
permit informed decision making concerning the manner in which the risks are being
controlled. The purpose of this section is to provide an overview of the various aspects of the
dry dock formal safety assessment management framework in line with the outcome of this
PhD research. A comprehensive framework is illustrated in Figure 7.1.
Figure 7.1 Dry dock formal safety assessment process
The enhancement of this PhD research is achieved through an integrated process that affords
to explicitly recognise and analyse risk in dry docking system (Chapter 3) with formal
treatment of uncertainties (Chapters 4 and 5) that are ever-present in safety practice. A defined
Evaluation
Existing gaps
Performance goal
Uncertain
Risk assessment
outcome under uncertainty:
Justification of method Case study application
Cost benefit (CB) analysis outcome:
Use outcome from Chapter 4 and 5 for
CB analysis
Chapter 1 & 2
PhD Objective
PhD Literature Review
Study Analysis
Surveillance
Dry dock safety reviews
Chapter 3
FT-FSA application in
dry docking system
Step 1
Step 2
Select appropriate method and justification
Chapter 4 & 5
FT-BN for risk assessment
Fuzzy rule base - ER
Chapter 6
Cost benefit
assessment
Does dry dock meet performance?
218
risk evaluation process (Chapter 6) leading to recommendations for decision making is also
presented. The safety decision making requires five supporting processes:
1. The generation and analysis of information about individual dry dock systems (Chapter
2, Section 2.3-2.5)
2. The establishment of criteria with which the information on the individual dry dock
systems can be assessed (Chapter 3, Section 3.3-3.5)
3. Risk analysis under uncertainty (Chapters 4 and 5, Sections 4.4 and 5.5-5.8 respectively)
4. A control process to ensure adequate control of risks (Chapter 6, Section 6.3)
5. A decision-making process which leads to the most appropriate course of action (Chapter
6, Section 6.6.4)
6. A periodic audit to continually monitor the scope and suitability of the risk controls
(Chapter 6, Section 6.6.4 and Section 6.7)
7.2 Risk Assessment and Cost Benefit Analysis
Risk assessment is central in this PhD research and its essential features are illustrated in Figure
7.2. The results of the risk analysis and risk evaluation process are intergraded for cost benefit
analysis (Chapter 6). The final step of FSA is ‘decision making’, which aims at giving
recommendations and making decisions for safety improvements.
Risk Assessment
Cost benefit Assessment
Figure 7.2: Risk assessment and cost benefit analysis framework
Safety management
principles
Guidance on risk
based decisions
Hazard Identification
Failure mode
identification
Range of failure
probabilities Range of
Consequences
Risk estimation
NO/UNCERTAIN
Is the dry dock
safe enough?
YES Recommendation for decision making
219
Dry docking evolution can lead to serious accidents. Therefore, dry docking-related safety has
to be improved; this can be carried out by using scientific risk assessment methodologies. The
findings from the literature review have exposed that there are no conceptual risk assessment
methodologies available for dry docking problems and the risk assessment of ship docking is
closely associated with high levels of uncertainty. Thus, Chapters 3, 4, and 5 have demonstrated
the risk analysis approach based on the safety principles of FSA under a high level of
uncertainty, and Chapter 6 has presented a cost benefit approach for recommendation as a
conclusion of this work. The developed methodologies are generic in nature and can be applied
to any situation. In summary, these methodologies can be concluded as follows:
7.2.1 Fault tree-Formal safety assessment in dry docking operation
In dry docks, occupational accidents are frequent. An occupational accident is defined as an
unexpected and unintended incidence while occupied in an economic activity, which results in
one or more workers getting injured or loss of life (Baris, 2012). Every 15 seconds, a worker
dies as a result of occupational accidents or work related diseases. One hundred and sixty
workers have an occupational accident statistically every 15 seconds. Over 2.3 million deaths
per year and more than 336 million accidents occur at work annually (ILO, 2011). In shipyards,
these occupational accidents are classified by several statistical agencies under the construction
or repairing topics. Shipbuilding and repair is a complex business, with huge tasks performed
in parallel. The steel handling and processing production process requires great space, which
must be inspected, sorted and stored. On these steel products, further activities are required,
which include blasting, priming, shaping, forming to designed shape, welding to make
assemblies, panel, fabrication, block assembly, pre-outfitting, air conditioning, electrical cable
fitting, surface preparation and coating (ILO, 2011). This has been the challenge in respect to
shipbuilding and repair system safety, which stands out as being complex and uncertain.
The adoption of the fault tree-formal safety assessment (FT-FSA) concept is used to solve
existing gaps. Existing gaps within the framework are the unavailability of experts to carry out
a proactive risk-based approach to deal with accidents and eliminate their occurrence from its
origin. FSA consists of five steps. FT is a formal method used in steps 1 and 2 in this study.
Hollnagel (2004) categorises these accident models in the following three types: (a) sequential
accident model, which describes an accident as a result of a sequence of events that occurred
in a specific order; (b) epidemiological accident model, which describes an accident in an
220
analogy with the spreading of diseases; (c) systemic accident model, which describes the
performance of a system as a whole, rather than on the level of cause-effect mechanisms or
epidemiological factors.
Fault tree analysis (FTA) is a very popular and diffused technique for modelling and evaluation
of large, safety and critical systems. Henley et al. (1995) carried out a diffused analysis on
dependability modelling using FSA. It is a deductive analysis, starting with potential or actual
failures and deducting their causes (Chris et al., 2012). Root causes of failures frequently have
to be inferred from multiple indirect observations. Fault trees are intended for reliability and
fault analysis rather than diagnostic observation (Wojtek and Milford, 2006).
FTA has wide applications in system safety engineering such as security design, risk
assessment, and the management of safety-critical projects (Zhuang et al., 2011). FTA is used
for preliminary safety analysis, especially the qualitative analysis of identifying the root causes
for the development of RCOs. FTA is an effective methodology in the safety analysis of a
system; it also has some deficiencies, especially when being used in complex engineering
systems such as dry docking. These disadvantages include (Hu et al., 1995): (a) events in FT
are assumed to have only two states, namely working or failure, but in actual engineering some
events are polymorphic; (b) events in FT are assumed to be independent, but actually some of
them may have interdependent relations. FTA is more applicable to a system analysis problem
in which fault mechanism and logic relationship are clearly defined. For complex and uncertain
systems, a probabilistic network approach should be a better choice (Jong and Leu, 2013).
7.2.2 Fault tree-Bayesian networking approach for dry docking operations
As mentioned in section 7.2.1, FT-FSA is a common diagnostic tool used to assess the
reliability of a ship-docking system. However, FTA has some limitations in modelling, such as
lack of lateral links and limited definition of event states and logic gates. To overcome the
limitations of FT-FSA, Bayesian network (BN) has been proposed and widely applied for
uncertainty analysis. However, the establishment of BN for practical applications could be
quite difficult and tedious, especially with complicated ones.
This Chapter combines the advantages of FTA and BN to propose a more effective BN
development process by transforming a multi-state FT into a BN framework. The process was
221
then used to build a ship-docking system. Model validation and sensitivity analysis are
performed to further assess the application of this approach.
Particularly, in building a large BN, the model must be mathematically sound, and at the same
time easy for the decision-maker to understand. Furthermore, such models require a set of
parameters to be fully specified, and either statistical data or expert judgement must be used to
estimate them. Finally, the model must be represented such that the interested quantities can
be calculated efficiently (Barlow, 1988). To overcome the challenges of representation, the FT-
BN method is used and, to overcome the challenges of better quantification, a method of
ranking subjective nodes from experts’ elicitation using WeightedMin truncated normal
distribution (TNormal) is adopted in BN to easily calculate and represent the priori probabilities
and conditional probability table (CPT) of corresponding nodes.
The combination of these two approaches has been reported in aerospace and manufacturing
industries (Zhuang et al., 2011). BN is an approach to deal with intrinsic drawbacks in FTA.
This method is based on uncertainty treatment theory. It is usually grouped under uncertain
categories like fuzzy logic, Markov models, artificial neural networks, Monte Carlo simulation,
grey theory, and Dempster-Shafer theory (Yang et al., 2005). BN has great ability to model
randomness and capture nonlinear causal relationships. This potential has increased its
popularity in recent years. Yang et al. (2008) state that it is ‘a powerful risk analysis tool’
because it can be used in a range of real applications concerned with predicting properties of
safety-critical systems. In this chapter, it was realised that, although the mechanism of
transforming from FT to BN has been well examined, the use of BN, nevertheless, relies on
the input of experts’ experiences for the linkages and CPTs. Data provided by different experts
will directly affect the accuracy and the assessment quality of BN. Special attention is therefore
required to be carried out in the next stage of this research through cost benefit analysis. If
complete and sound maintenance data are available, an objective BN can be established.
7.2.3 Fuzzy rule base with belief degree for risk analysis in dry docking operation
The methods of rule-based evidential reasoning are based on the synthesis of the tools of Fuzzy
Set Theory (FST) and the Dempster-Shafer Theory (DST). The integration of FST and DST
within symbolic, rule-based models was primarily in maritime safety analysis. These models
combine these theories in a synergic way, preserving their strengths while avoiding the
disadvantages they present when used as a mono-strategy approach.
222
The main advantage in a belief rule system is that each possible consequence of a rule is
associated with a belief degree. Such a rule base is capable of capturing more complicated and
continuous causal relationships between different factors than traditional IF-THEN rules.
Therefore, the traditional IF-THEN rules may be treated as special cases of the more general
belief rule systems. In the framework of rule-based inference methodology, using an evidential
reasoning approach (RIMER), the decision characterised by the maximal aggregated degree
of belief is the best choice (Ferdous et al., 2009). So, the RIMER approach can be used for
building decision support systems.
To make the presentation of the approach of this chapter more transparent, an illustration is
simple enough, but a real-world problem in a floating dry dock is used. The success of FSA
depends on how practical solutions are provided for decision making under uncertainty in dry
docking operations. Fuzzy evidential reasoning (FER) capable of dealing with uncertainty can
be used either as a standalone method or be combined as part of an FSA methodology
(Godaliyadde et.al, 2009). The main focus of this chapter is to use fuzzy theory and evidence
theory approaches to deal with linguistic/subjective uncertainties of event probabilities, and
the latter is also used to handle incomplete/partial ignorance of expert knowledge (Ferdous et
al., 2009).
Nevertheless, there are two restrictions in the RIMER approach that reduce its ability to deal
with uncertainties that decision-makers often meet in practice. The first restriction is that, in
the framework of RIMER approach, a degree of belief can be assigned only to a particular
hypothesis, not to a group of them, whereas the assignment of the belief mass to a group of
events is a key principle of the DST (Dymova and Savastjanov, 2014). The second restriction
is concerned with the observation that in many real-world decision problems we deal with
different sources of evidence and a combination of them is needed. The RIMER approach does
not provide a technique for the combination of evidence from different sources (Liu et al.,
2013). To overcome these limitations, it is required to carry out a cost benefit analysis to select
the best control safety measures from the outcomes of using RIMER and FT-BN.
7.2.4 Risk control options and cost benefit analysis in a dry docking operation
It is hoped to find acceptable ways of estimating and also reducing the cost of operating a ship-
docking system. This might enable the decision-maker to choose the most cost-effective
method that will improve ship-docking safety, environmental protection, profitability and cope
with the strong competition within the ship-docking industry.
223
This chapter provides a robust method for evaluating the cost-effectiveness (CE) of risk control
options, which are identified in Chapters 4 and 5. The deficiencies of current CE methods are
highlighted, undermining the lucidity and consistency in application. The proposed approach
outlines a subjective mathematical formulation that neatly integrates all aspects of CE measures
along with its application based on the ranked nodes with a Truncated Normal distribution
Bayesian network. This method is used in FSA for docking and undocking systems,
demonstrating the ease of the application and clarity of results’ interpretation. FSA forms the
basis for decision making towards mitigation of risk. The latter is performed through
determination of risk control options (RCOs), ranking them according to impact on risk and
cost, and provision of recommendations as to which RCOs are most sensible. Again, the
communication between analysts and other stakeholders about safety measures is usually based
on cost-effectiveness indices. These indices are based on expected values. In the literature it is
argued that such indices are not appropriate for evaluation and communication of cost-
effectiveness as a broader reflection of uncertainty (Reed et al., 2010).
In Chapter 6 a quantitative approach for evaluation of safety measures of a ship-docking system
is based on cost-effectiveness. The initial part of the risk assessment process is carried out in
Chapters 4 and 5 using expert elicitation. The risk-control safety measures are categorised by
cost-effectiveness to provide support for decision making. In the proposed method, evaluation
of the cost-effectiveness is based on calculating expected values, as in a traditional cost-
effectiveness analysis, as well as uncertainties. The uncertainties are systematically addressed
by adjusting the cost-effectiveness categories in accordance with the perceived degree of
uncertainty. Since the proposed procedure is not particular labour intensive, it can be used to
compare a high number of safety measures.
7.4 Recommendations for Decision Making
The final step in a formal safety assessment is decision making, which gives recommendations
for safety improvement. The selection of risk-control options for the decision making is based
on the cost-effectiveness and the principles of ALARP (As Low As Reasonably Practicable).
Intolerable risk is controlled regardless of costs. Reasonable means the costs are grossly
disproportionate to the benefits. On the first level, this approach marks an improvement over
current practice in ship docking and has proven to be acceptable to practitioners in other fields.
On a second level, partners and decision-makers need models to produce predictions and
supportive decision insights that can demonstrate better results than from methods that require
224
detailed statistical understanding. Also, since this approach has been used in a number of
application areas such as for operational risk assessment (Fenton et al., 2007), these results
show that the elicitation burden is much reduced by using ranked nodes by simply eliciting a
small number of parameters from experts and decision-makers.
On a third level, by applying Bayesian network techniques, this study has explored and verified
a set of relations between cost factors, benefit factors, reference factors, risk reduction effect
factors, and uncertainty factors in the application of decision making in docking and undocking
ship operations. A cost-benefit factor relation model proposed in this study was considered as
domain knowledge and the data collected through a literature survey was evidence to conduct
the inference-based verification. Through calculating the CPT of these factors, it was found
that certain cost factors are more important than others to achieve certain aspects of benefits in
relation to reference, risk reduction effect and uncertainty factors (Section 6.5 -6.6):
(5) Compared with other risk safety measures in A, increased investments in implementing
RCOA1 would significantly contribute to three benefit aspects of reducing stability failure
in a floating dry dock during docking and undocking a vessel, hence improving a
company’s image and competitive advantage.
(6) Compared with other cost items in B, the increased investment in implementing risk safety
measure RCOB1 would significantly help reduce the failures of a dry dock gate in docking
and undocking a vessel in a graving dry dock,
(7) Comparing the relations of safety factors, more is required to be done in improving
awareness of the importance of benefit factors. Depending on the RCO under study, the
ranking of impact factors provides the least important factor to be taken into consideration
when making decisions. For example, using RCOB1, decision-makers should pay more
attention to improving benefits and pay less attention to reference value factor and
uncertainty factor, while using RCOB3 recommendation for decision making should be to
improve the risk reduction effect and to pay less attention to the reference value and
uncertainty factors.
Based on these findings, if a dry docking company plans to improve the perceived company
image through one of the following operations, it would be appropriate for the company to
have considerable investments when implementing these risk safety measures as categorised
in this study.
Note: Study A is result from Chapter 4 of thesis, and Study B is result from Chapter 5.
225
Chapter 8 – Conclusion and Implications
Summary
Highlighting the research contribution, final conclusions and recommendations of application
of the Formal Safety Assessment (FSA) for dry docking evolution modelling is performed by
summarising the research outcomes of the thesis. Implications for further research are
described based on key findings and limitations of this PhD research.
8.1 Research Background
Formal safety assessment (FSA) is a systematic, formal and integrated assessment approach
being used by maritime companies. The main aim of this methodology is to improve the level
of maritime safety connected with either life and health security or the environment and
property protection. It is most useful in making decisions using risk analysis, the estimation of
costs and profits and also creating decision trees (Mikulik and Zajdel, 2009).
FSA gives the opportunity to gain as much security as possible through the selection of the risk
control variant, which yields huge risk reduction and good financial benefits, since FSA not
only judges whether and how each means applied is helpful in gaining a higher safety level or
lower pollution level, but it also estimates cost of operation (Wang, 2001). Furthermore, this
methodology keeps good cognition of precautions through detailed identification of who or
what is the real cause of the risk, who will take advantage of risk control and reduction, and
who will bear costs (Wang, 2001).
Since formal safety assessment has been introduced into the ship-safety field, it has proved to
be a method widely applicable, detailed in statistical analysis and effective in assessment,
featured by formal operation procedures, serial standards analysis techniques and decision
making based on cost-benefit assessment (Mikulik and Zajdel, 2009). During the last few years,
it has also been adapted to some other fields in which risk estimation plays a significant role,
such as pilotage, environment protection and public transport (Mikulik and Zajdel, 2009). This
PhD research shows how to use FSA methodology as a helpful tool when docking a vessel for
ship repair in a graving-floating docking system. All five steps of FSA with their main aspects
described in detail are addressed; however, the risk assessment is a critical step and the core
process in the establishment of the risk model (Mikulik and Zajdel, 2009). Following the
identification of the research needs, this PhD study has developed one data model and three
analytical models capable of performing risk assessment and decision-making process.
226
8.2 Research Contribution
Dry docking operations can lead to serious accidents. Therefore, dry docking-related safety has
to be improved; this can be carried out by using scientific risk assessment methodologies. The
findings from the literature review have exposed that there are no conceptual risk assessment
methodologies available for dry docking safety-related problems and the risk assessment of
ship docking is closely associated with a high level of uncertainty. Thus, Chapters 3, 4, and 5
have demonstrated the risk assessment based on safety principles of FSA under a high level of
uncertainty, and Chapter 6 is a cost benefit approach for decision making. The developed
methodologies are generic in nature and can be applied to any situation. In summary, these
methodologies can be concluded as follows:
Also, following the identification of the research needs, this PhD study has developed one data
model and two analytical models capable of performing risk assessment and decision-making
processes with confidence under the aforesaid circumstances. Such frameworks have been
demonstrated by three corresponding test cases with regard to the safety of ship-docking
operations. The frameworks have been developed in a generic sense to be applicable to both
engineering and managerial problems. They provide the basis for the generation of the various
risk analysis methods and decision-making procedures. In summary, the methods and
techniques can be concluded as follows:
Using FT-FSA to deal with the complexity of ship-docking operations and to provide a
framework to deal with a data model. The adoption of the FT-FSA concept is used to
solve existing gaps identified in this PhD (Section 1.4, Section 1.52 and Section 3.2).
Applying FT-BN to evaluate the risks of objects, subsystems and overall safety of a
typical graving-dock failure. Section 4.2 defines the importance of FT-BN overcoming
the limitations of FT-FSA, and Section 4.5 presents the framework, and this chapter is
concluded with a test case.
Employing Fuzzy Evidential Rule Base (FERB) to evaluate the risks of floating docking
to model epistemic uncertainties including non-specificity and vagueness (Section 5.4-
5.5). The advantages of this framework are demonstrated by using a numeric example
(Section 5.6)
Using truncated normal distribution BN for cost benefit analysis where many risk control
measures are involved (Section 6.4-6.6). In brief, Sections 8.2.1 to 8.2.3 highlight some
key aspects of these approaches.
227
8.2.1 FT-FSA approach in dry docking operation
The aim of the chapter is to show that the FT-FSA methodology of safety-relevant scenarios in
occupational accidents in shipyards can be analysed. The exemplary application is a ‘Fall from
Height’ scenario, which deals with concurrently interacting human operations and technical
system, and was used as a data model for decision making.
8.2.2 FT-BN approach in dry docking operation
The combination of these two approaches has been reported in aerospace and manufacturing
industries (Zhuang et al., 2011). BN is an approach to deal with intrinsic drawbacks in FTA.
This method is based on uncertainty treatment theory. BN has great ability to model
randomness and capture nonlinear causal relationships. This potential has increased its
popularity in recent years. Yang et al. (2008) state that it is ‘a powerful risk analysis tool,’
because it can be used in a range of real applications concerned with predicting properties of
safety-critical systems.
8.2.3 FERB approach in dry docking operation
The success of FSA depends on how practical solutions are provided for decision making under
uncertainty in dry docking operations. Fuzzy evidential reasoning (FER) capable of dealing
with uncertainty can be used either as a standalone method or be combined as part of an FSA
methodology (Godaliyadde et.al, 2009). The main focus of this chapter is to use fuzzy theory
and evidence theory approaches to deal with linguistic/subjective uncertainties of event
probabilities, and the latter is used to handle incomplete/partial ignorance of expert knowledge
(Ferdous et al., 2009).
8.2.4 Truncated normal distribution BN cost benefit analysis in dry docking operation
This chapter provides a robust method for evaluating the cost-effectiveness (CE) of risk control
options, which are identified in Chapter 4, 5 and 6. The deficiencies of current CE methods are
highlighted, undermining the lucidity and consistency in application. The proposed approach
outlines a subjective mathematical formulation that neatly integrates all aspects of CE measures
along with its application based on the ranked nodes with Truncated Normal distribution
Bayesian network. FSA forms the basis for decision making towards mitigation of risk. The
latter is done through determination of risk control options (RCOs), ranking them according to
228
impact on risk and cost, and provision of recommendations as to which RCOs are most
sensible.
8.3 Practical Applications of PhD Research
It is also believed that these methods can be tailored to practical applications of dealing with
safety problems in other industries, especially in situations where a high level of uncertainty
exists. The implementation of the described approaches could have highly beneficial effects in
real life. More specific description can be provided as follows:
1) A framework of aggregative risk assessment for representing the relationships of
component, subsystems and overall ship-docking floating system
2) A framework of FTA for representing the cause-effect relationship of specific risks
3) A framework for decision making when considering cost-effectiveness of controlled
risks
FSA is used to evaluate the framework of aggregative risk assessments for a ship-docking
system. Two mathematical theories are combined for assessing risks (FT-BN and FERB) in
Chapters 4 and 5. Fuzzy set theory is used to represent the characteristics of a hazard such as
likelihood of occurrence and consequence severity. ER is used to combine newly obtained data
for the updating existing risk estimates at the bottom level of the framework. Risk analysts can
use this information to compare risks of base events (BE) and even the overall risk of the
system. As demonstrated in Table 5.11 and Figure 5.12, the overall failure of the system is
presented according to the FV-I ranking result, where the intermediate events needing the most
attention are presented. By considering the risk value or probability value and the weight of
each expert, the most critical intermediate system can be identified. Keel block loads
calculations are selected as the most critical event concerning the failure of the pontoon deck.
In the absence of exact data, and where there exists common failures, it is necessary to work
with subjective probabilities. The combination of the mathematical theories of FT-BN is used.
This combines the advantages of FTA and BN to propose a more effective BN development
process by transforming a multi-state FT into a BN framework. The process was then used to
build a ship-docking system. The results of FT-BN are the likelihood of occurrence for specific
risks and importance measures of potential contributing factors. Application of FT-BN in
Chapter 4 shows that it is useful to identify critical intermediate events for a specific risk, as
shown in Table 4.5 and Table 4.6.
229
Results of Chapters 4 and 5 help the analyst to select RCOs to mitigate risk for the most critical
intermediate events and overall safety of the ship-docking structure. It is not financially
possible to select all the proposed RCOs. Therefore, truncated normal distribution using a
weighted average BN structure is tailored to select the best RCO from a large number of RCOs.
When dealing with RCO ranking/selecting, available decisions are collected not only from
experts but from decision-makers as well. When evaluating RCOs for enhancing the safety of
a ship-docking system, there are parameters that need to be considered, as presented in Table
6.1 and Table 6.2. On the basis of the test case in Chapter 6 involving elements of pontoon
deck failure and gate failure, it is reasonable to judge that the decision-making model developed
is capable of handling such problems. The proposed method is particularly useful in
circumstances where multiple experts and multiple decision-makers are involved.
Since the test cases in this study provide reasonable results, it is felt that the analytical models
developed have the potential to improve the safety of ship-docking operations. Such models
can be applied in individual shipyards. More importantly, these frameworks can be integrated
to formulate a formal safety platform to facilitate risk assessment and safety management of
ship-docking operations without jeopardising the efficiency of operations in a variety of
situations where traditional techniques may not be applied with confidence.
8.4 Integration of Results
This PhD research compares the outcome of using risk assessment and cost benefit analysis.
For Study A (Chapter 4) the most critical intermediate events identified are in the following
order (section 4.8.6 – section 4.8.7): RCOA2, RCOA7, RCOA5, RCOA8, RCOA1, RCO3 and
RCOA4.
RCO 2- Preventing any buoyancy obtained from the upper chamber, these include improved
inspection in Tidal Chamber, focusing on Tidal flaps connected by wires, and tidal valves.
RCO 7- Preventing failures of control system, these include maintenance of driving winch,
control panels and control tank gauges.
RCO 5- Loads from water pressure – rolling and holding gate in centre of recess – roller guide
gates using a pair of rollers, into a central guide-wall, holding the gate in the centre of the
recess.
230
RCO 8- Tank operation issues, putting in permanent ballast to bring the gate to an even keel,
two scuttle tanks, used to sink the gate into position, how the two ballast tanks are flooded
when the gate is closed to increase stability and prevent any movement due to wave action.
RCO 1- Maintenance on towing system, these include removal and maintenance of the rollers
in air chambers, gate-shifting system inspection (A 2-pile system, and hydraulic trolley).
RCO 3- Constantly controlling an even draught (stability concerns) by using trimming tanks.
RCO 4- Improve structural element inspection – walls, floors, decks, walkway, handrails,
guiding post.
RCO 6- Maintain gate water tightness – a roller L-shaped strip was fixed to the outer edge of
the green heart-facing pieces, which must be constantly maintained and checked.
But comparing the result of Chapter 4, with the result of cost effectiveness analysis (section
6.6.2 – section 6.6.3) categorised in the following order RCOA: RCOA1, RCOA2, RCOA3,
RCOA6, RCOB5, & RCOA4, we noticed that RCOA1 is the most important risk control option
as opposed to RCOA2. Therefore care is required when making decisions between the risk
analysis method and cost-benefit assessment.
Likewise, the result of Chapter 5 (section 5.7.7) identifies the following critical intermediate
events in the following order: RCOB4, RCOB2, RCOB3 and RCOB5, and the result from cost-
effectiveness (section 6.6.2) gives a different ranking order RCOB: RCOB4, RCOB5, RCOB1,
RCOB6, and RCOB2 & RCOB3.
8.5 Limitations of Research
Floating and graving dry dock failure data are scarce or incomplete; as such, the uncertainty
associated with docking and undocking evolution problems may significantly undermine the
risk assessment conducted based on traditional risk assessment techniques. In order to deal
with these, novel risk assessment techniques have to be developed and applied.
The first challenge under uncertainty comes when risk estimation is conducted for the identified
hazards. Hazard identification is normally carried out by employing traditional hazard
identification techniques such as preliminary hazard analysis (PHA) and hazard and operability
study (HAZOP). Hazard identification and risk estimation can also be conducted by utilising
techniques like fault tree analysis (FTA) and event tree analysis (ETA). However, due to high
levels of uncertainty related to docking and undocking evolution problems, such techniques
231
may be unsuitable; therefore the solution is achieved by developing a novel approach with the
combination of fuzzy rule base, evidential reasoning, and Bayesian networks.
The second challenge is associated with decision making based on risk estimation results under
a high level of uncertainty. The problem becomes more complex if interval data have to be
taken into account. Interval data increase the complexity of criteria aggregation which further
increases the complexity of the problem. It should be noted that when the complexity of a
problem increases uncertainty will be further increased. These problems are solved and
decision making conducted by carrying out cost benefit analysis.
The third challenge under uncertainty arises when risk control options are chosen for identified
areas of high-risk estimation. Also, expert judgement plays a vital role in this subjective
assessment. There is also the challenge of validating the generic models developed in each
technical chapter. These are all novel models in an area in which no conceptual scientific risk
assessment work has been done so far. However, this challenge is partially met by applying
these models to real floating and graving dry docks.
8.6 Implications for Further Research
On the basis of the key findings and limitations of this PhD research, further research will be
needed in a number of areas. The major challenge of conducting this research was the high
level of uncertainty which arises from the lack of data for use in risk assessment. The
confidence and effectiveness of application of the FSA methodology is highly dependent on
the reliability of system failure and accident data. It was found that many organisations dealing
with ship-repairing activities have a poor organisational structure. This research shows the
importance of recording relevant dry docking accident data for conducting risk assessments to
obtain reasonable results. It is anticipated that the application of FSA may trigger the
organisations concerned about ship repair to collect the relevant data by improving their
organisational structure. The ship docking organisations may improve their organisational
structure by implementing the following steps:
Keep a separate log book for each docking ship problem,
Keep health records for workers under health surveillance,
Keep a record of the risk assessment and control actions,
Appropriate training and educational programmes could be developed for the crew, identifying
ways in which ship docking problems could be prevented and how such problems should be
232
dealt with should they occur. Such training programmes could become the starting point for
the development of a safety culture within the ship docking industry. The outcome of the risk
assessment of ship docking operations may be used to identify areas in which development of
such training and education programmes is required. This could lead to the reduction of human
error on board, which is one of the leading contributory factors for marine accidents (IMO
MSC/Circ. 565, 2001). The findings and results produced in this research can also be helpful
in conducting human error analysis in ship docking organisations.
There are some limitations of the generic uncertainty treatment methods developed in this
research. Further research would be needed to improve these novel methods. Since these
methods are generic they can be applied and improved in other industries such as nuclear, oil
and gas, and aviation. Furthermore, the development of software tools incorporating the
developed models in this research may be potentially useful. The marine industry is heading
towards a goal-setting risk-based regime under the safety principles of FSA, which gives
decision-makers more flexibility for developing and utilising novel risk assessment methods;
one of which is a subjective modelling approach.
The key element for reaching adequate results is gaining suitable data. Often in dry docking
operations, domain data are collected as linguistic variables. Then they are processed into
numerical data with some errors. But even if data are hard to obtain and vary a lot with time,
the FSA method based on fuzzy rule base, evidential reasoning, and Bayesian networks helps
to get an acceptable outcome, with great tolerance, and it is insensitive to errors made in
changing linguistic into numerical data, which is the biggest problem in such domains of
research.
Lack of reliable safety data and lack of confidence in safety assessment have been two major
problems in safety analysis in dry docking operations. To solve such problems, further
development may be required to develop novel and flexible safety assessment techniques for
dealing with uncertainty properly and also to use decision-making techniques on a rational
basis. Also software safety analysis is another area where further study is required. In recent
years, advances in computer technology have been increasingly used to fulfil control tasks to
reduce human error and to provide operators with a better working environment in ship-
docking systems. The utilisation of software in control systems has introduced new failure
modes and created problems in the development of safety-critical systems. In formal ship-
docking safety assessment, every safety-critical system also needs to be investigated to make
233
sure that it is impossible or extremely unlikely that its behaviour will lead to a catastrophic
failure of the system and also to provide evidence for both the developers and the assessment
authorities that the risk associated with software is acceptable within the overall system risks
(Wang, 2007). It is also very important to take into account human error problems in formal
safety assessment. Factors such as language, education and training, which affect human error,
need to be taken into account. The confidence of formal safety assessment greatly depends on
the reliability of failure data. When evaluating risks under circumstances of the scarcity of data,
perhaps due to the high level of costs in conducting a full-scale experiment, the use of computer
simulation may be potentially useful.
More test case studies also need to be carried out to evaluate and modify formal ship-docking
safety assessment and associated techniques and to provide more detailed guidelines for their
employment. This would enable validation of them and can also direct the further development
of flexible risk modelling and decision-making techniques and facilitate the technology transfer
to industries. The dry docking industry is moving towards a risk-based goal-setting regime.
This provides safety analysts with more flexibility to employ novel and the latest risk modelling
and decision-making techniques. Subjective modelling and approximate reasoning methods
may be useful approaches. It may be beneficial if the novel techniques developed in this
research could be further applied to facilitate risk modelling and decision making. The cost
data are related to the estimation of investment costs, operating costs, inspection and
maintenance costs, and the cost for clean-up, pollution, etc. In many cases, data are insufficient
to carry out an appropriate estimation of risk. Also, since the methodologies proposed in this
research are generic in nature, such frameworks can be further verified for safety analysis
outside the dry docking industry. This will provide an added value to the promotion of their
use in different industries.
It is clear that it would be possible to reduce ship docking accidents by good design, training
and operation in an appropriate formal safety management system. As public concern regarding
maritime safety increases, more and more attention has been directed to the wide application
of formal safety assessment of ship-docking system as a regulatory tool. It is believed that the
adoption of this PhD research in the ship-docking operation will reduce maritime risks to a
minimum level. This PhD research also provides a platform on which further research on risk
assessment of ship docking evolution, based on the safety principles of FSA, could be
undertaken to improve the safety of the ship-docking environment.
234
References
Adamyan, A., and David, H. (2002). Analysis of sequential failures for assessment of reliability
and safety of manufacturing systems. Reliability Engineering and System Safety, 76, pp. 227-
236
American Bureau of Shipping (ABS). (2009). Rules for building and classing steel floating dry
docks. American Bureau of Shipping, ABS Plaza, Houston, USA
Aminravan, F., Hoorfar, M., Sadiq, R.,Francisque, A., Najjaran, H., Rodriguez, M.J. (2011).
Interval belief structure rule-based system using extended fuzzy Dampster-Shafer inference. In
the Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, 3022,
pp.3017-3022
Aminravan, F., Hoorfar, M., Sadiq, R.,Francisque, A., Najjaran, H., Rodriguez, M.J. (2012).
Multicriterial information fusion using a fuzzy evidential rule-based framework. In the
Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, Korea
Anrig, B., and Kohlas, J. (2003). Model-based reliability and diagnostics: A common
framework for reliability and diagnostic. International Journal of intelligent system, (18), pp.
1001-1033
Ansbert, J. (2008). Hanjin had no safety office during accident. Inquirenet, pg. 3
Akan, A.O, Schfran, G.C., Pommerenk, P., and Harrell. L.J. (2000). Modelling stormwater
runoff quantity and quality form marine dry docks. Journal of Environmental Engineering, 126,
1, pp.5-11
Aristo, V. (2012). Ship construction and risk assessment. Marinco Survery B.V., Rotterdam
ASNZS4360 (2004). Risk management. (pdf), Joint Technical Committee OB-007, Joint
Austrialina/New Zealand Standard
Aven, T. (2008). Risk analysis - Assessing uncertainties beyond expected values and
probabilities. Wiley, N.J
Ayub, B. (2001). A practical guide on conducting expert-opinion elicitation of probabilities
and consequences for corps facilities. (Prepared for US. Army Corps of Engineers Institute for
Water Resources, Alexandria, VA 22315-3868)
Ayyub, B. and Klirr, J. G. (2006). Uncertainty modelling and analysis in engineering and the
sciences. (Chapman & Hall/CRC)
235
Baccarini, D., and Archer, R. (2001). The risk ranking of projects: a methodology. International
Journal of Project Management, 3, 19, pp. 139-145
Bae, H., Granhi, V. R., and Canfield, A.R. (2004). An approximation approach for uncertainty
quantification using evidence theory.Reliability Engineering and System Safety, 86, pp. 215-
225
Baris, B. (2012). Shipyard fatalities in Turkey. Elsevier Ltd, Safety Science: 50: 1247-1252,
Istanbul Technical University, Faculty of Naval Architecture and Ocean Engineering, Istanbul,
Turkey
Bai, Y. (2003). Formal safety assessment applied to shipping industry, In: Marine structural
design. Elsevier Ocean Engineering Series
Baris, B. (2012). Shipyard Fatalities in Turkey. Elsevier Ltd, Safety Science, 50, pp. 1247-
1252
Baron, J. (2000). Thinking and deciding. Cambridge, 3rd edition, University Press
Bartlett, L.M., Hurdle, E.E., and Kelly, E.M. (2009). Integrated system fault diagnostics
utilizing diagraph and FT-based approach. Journal of Reliability Engineering and System
Safety, (94), 1007-15
Barlow, R.E. (1988). Using influence diagrams. In: Clarotti CA, Lindley DV, editors.
Accelerated life testing and experts’ opinions in reliability, pp.145-157
Becht, P.M., and Heger, R.E. (2006). Introduction to dry docks. Design of Marine Facilities
for the Berthing, Mooring, and Repair of Vessels, Chapter 10
Billard, Y., Bernard, O., Lasne, M., Carpra, B., Schoefs, F., and Boreo, J. (2007). Risk analysis
and reliability of repaired concrete quays. Proceeding of 10th international conference of
applications of statistics and probability in civil engineering, Tokyo
Boardman, E.A., Greenberg, D.H., Vining, A.R., and Weimer, D.L. (2006). Cost-benefit
analysis- Concepts and practice. New Jersey
Bobbio, A., Portinale, L., Minichino, M., and Ciancamerla, E. (2001). Improving the analysis
of dependable systems by mapping fault trees into Bayesian networks. Elservier, 71, pp.249-
260
236
Bryan J. J. (2009). A risk based maintenance methodology of industrial systems. School of
Engineering, Liverpool John Moore’s University, UK
Bureau of Labour Statistics (BLS) (2008). Census of Fatal Occupational Injuries, in
cooperation with State, New York City, District of Columbia, and Federal Agencies
Burton, H.E. (2001). Using Bayes Belief Networks in industrial FMEA modelling and analysis.
Proceedings Annual Reliability and Maintainability Symposium
Cabinet office. (2002). Risk: improving government’s capacity to handle risk and uncertainty.
Stragegy Unit Report, UK
Cai, Z.H., Sun, S.H., Si, S.B., and Wang, N. (2010). Modelling of failure prediction Bayesian
network based on Fault Tree Analysis. IEEE
Canadian Standard Association (CSA) (1991). Risk analysis requirements and guidelines.
Q636-91
Canadian Vickers Dry Docks Regulations (CVR). (2012). Minister of Justice, SOR/67-236
Carbajal, J.J., and Sanchez, L.P. (2008). Classification based on fuzzy inference systems for
artificial habitat quality in shrimp farming. Seventh Mexican International Conference on
Artificial Intelligence, 1996, pp. 388-392
Celik, M., and Er, I.D. (2006). Methodology of establishing executive maritime business
administrations program for maritime transportation industry. In Third International
Conference on Maritime Transport, pp. 953-961
Celik, M., Kahraman, C., Cebi, S., and Er, D. (2009). Fuzzy axiomic design-based performance
evaluation model for docking facilities in shipbuilding industry: The case of Turkish shipyards.
Expert Systems with Applications, 36, pp. 599-615
Checkland, P.B. (1989). Soft systems methodology. In: Rational analysis for a problematic
world. Problem Structuring Techniques for Complexity, Uncertainty and Conflict, pp. 71-100,
Wiley, Chichester
Cheng, Y. (2000). Uncertainties in fault tree analysis. Tamkang Journal of Science and
Engineering, 3, 1, pp. 23-29
Cheng, Y.S., Au, F.T.K., Tham, L.G., and Zeng, W.G. (2004). Optimal and robust design of
docking blocks with uncertainty. Engineering Structures, 26, pp. 449-510
Cheng, Y.S., and Zeng, G.W. (1995). Optimum dipostion of wooden blocks during ship
docking. Shipbuilding of China, 1, pp.18-27
237
Chhibber, S., Apostolakis, G., Okrent, D. (1992). A taxonomy of issues related to the use of
expert judgements in probabilities safety studies. Reliability Engineering and System Safety,
28, pp. 27-45
Cho, J., and Park, D. (2000). Novel fuzzy logic control based on weighting of partially
inconsistent rules using neural network. Journal of Intelligent and Fuzzy Systems, 8, pp. 99-
110
Chiou, B.S. (1995). Failure analysis in reliability engineering using is avoided, as depicted in
Figure 18(c). By contrast, Petri nets, MS Thesis, National Chiao Tung University, Republic of
China
Chris, H. and Kernel, B. (2012). Fault tree analysis with Bayesian Belief Networks for Safety-
Critical Software. QNX Software Systems
Chryssolouris, G., Makris, S., Xanthakis, V., and Mourtziz, D. (2004). Towards the internet-
based supply chain management for the ship repair industry. International Journal of Comptuer
Intergrated Manufacturing, 17, 1, pp. 45-57
Cirem, F. (1997). Serious industrial accident in shipbuilding. ID ES970712ON
Community of European Shipyard Association (CESA). Shipyard industrial report, www.-
shipbuilding .org/public_document-site. [Assessed date: 10th September 2008]
Cooke, R.M. (1991). Experts in uncertainty. Oxford University Press, Oxford
Cooke, R.M., and Goossens, L.J.H. (2000). Procedures guide for structured expert judgement.
European Commission, Nuclear Science and Technology, EURATOM, EUR 18820,
Luxembourg
Coutinho, J.S. (1994). Failure-effect analysis. Transactions of the New York Academy of
Sciences, 26, pp. 564-484
Cozman, F., and Krotkov, E. (1997). Truncated Gaussians as tolerance sets, Technical Report
CMU-RI-TRI, Robotics Int, Carnegie Mellon University
Crouigneau, S., Bourdon, L., Billard, Y., Person, J.L, and Schoefs, F. (2008). Risk analysis to
support operation and maintenance of an ageing dock gate for the port of Marseille Authority.
1st International conference on Heritage and Constructions in Coastal and Marine Environment
238
Da, J., Roland, C., Klass, V.D.M, Liu, J.,Wang, H., Martinez, L. (2009). Belief rule based
inference methodology to improve nuclear safeguards information evaluation. In the
Proceeding of IEEE: The 28th North American Fuzzy Information Processing Society Annual
Conference
Dilan, J. (2008). China fast becoming the world’s shipyard. Terrydially, pg. 2
Devanney, J. W. (2008). Uses and Abuses of Ship Casualty Data. Center for Tankship
Excellence, [available at www.c4tx.org]
Dempster, A. (1968). A generalization of bayesian inference. Journal of Royal Statistical
Society, 30, pp. 205-247
Det Norske Veritas (DNV). (2012). Rules for classification of floating docks. pdf
Detcher, R., and Mateescu, R. (2004). Mixtures of deterministics-probabilitics networks and
their search space. In Proceedings of the 20th Conference on Uncertainty in Artificial
Intelligence, pp. 120-129
Diez, F.J. (1993). Parameter adjustment in Bayes network: The generalised noisy-OR-gate.
Proceeding 9th Ann. Conference Uncertainty in Artificial Intellignece, UAI
Dhillon, B.S. (1988). Mechanical reliability, theory, models and applications. AIAA
Education Series, Washington DC.
Drewry Shipping Consultants (DSC) (2013). Ship repair. Spotlight Report
Druzdzel, M.K, and van der Gaag, L.C. (1995). Elicitation of probabilities for Belief
Networks: combining qualitative and quantitative information. Proceeding of 11th Ann. Conf.
Uncertainty in Artificial Intelligence, pp. 141-148
Dymova, L., and Sevastjanov, P. (2014). A new approach the rule-base evidential reasoning in
the intuitionistic fuzzy setting. Knowledge-Based Systems, 61, pp. 109-117
Elaheh, A., Aminravan, F., Hoorfar, M., Sadiq, R.,Francisque, A., Najjaran, H., Rodriguez,
M.J. (2013). A fuzzy rule based approach for water quality assessment in the distribution
network. In the Proceeding of IEEE, School of Engineering, University of British Columbia,
Canada
239
Eleye-Datuba, A.G (2005). Intergrative risk-based assessment modelling of safety-critical
marine and offshore applications. School of Engineering, Liverpool John Moore’s University,
UK
Eleye-datubo, A.G, Wall, A., Saadeji, A. and Wang, J. (2006). Enabling a powerful marine
and offshore decision-support solution through Bayesian network technique. Risk Analysis,
26, 3, pp. 695-721
Eddy, W.F., and Pei, G.P. (1986). Structures of rule-based belief functions. IBM Journal of
Research and Development, 30, 1, pp. 93-101
European Communities. (2001). Maritime safety - Results from the Transport Research
Program (pdf). Luxembourg: European Communities
Fang, Q. G., Wang, J., and Datubo, A. (2004). FSA and its application to the safety of ships.
Journal of China Institute of Navigation, 1, pp. 1-5
Fellows, R. and Liu, A. (2008). Research methods for construction, Wiley Blackwell
Publishers, UK.
Fenton, N.E., Neil, M., and Caballero, J.G. (2007). Using ranked nodes to model qualitative
judgements in Bayesian networks. IEEE. Transactions on Knowledge and Data Engineering,
10, 19
Fenton, N.E., and Pfleger, S.L. (1997). Software metrics: A rigorous and practical approach.
PWS Publising Company
Ferdous, R., Faisal, K., Rehan, S., Amyotte, P. and Veitch, B. (2009). Handling data
uncertainties in event tree analysis. Elsevier B.V: Process Safety and Environmental
Protection, 87, pp. 283-292
Frank, J.L. (1991). A survery of the principal elements of safety programs at nine American
shipyards. The National Shipbuilding Research Program, Ship Production Symposium
Proceedings, IXB-3
240
Franke, U., Johnson, P., Robert, L., Ulberg, J., Hook, D., Elkstedt, M., and Konig, J. (2009). A
formal method for cost and accuracy trade-off analysis in software assessment measures. In
IEEE, Industrial Information and Control Systems, Royal Institute of Technology, Sweden
Gaag, L.C, Renooij, S., Witteveen, C.L.M., Aleman, B.M.P., and Taal, B.G. (2001).
Probabilities for a probabilistic network: A case study in Oesophageal Carcinoma. Technical
Report UU-CS-2001-01, Univ. of Utrecht
Gaag, L.C, Renooij, S., Witteveen, C.L.M., Aleman, B.M.P., and Taal, B.G. (2002).
Probabilities for a probabilistic network: A case study in Oesophageal Cancer. Artificial
Intelligence in Medicine, 2, 25, pp. 123-148
Godaliyadde, D., Phylip-Jones, G., Yang, Z.L, Batako, A.D. and Wang, J. (2009). An analysis
of ship hull vibration failure data. Journal of UK Safety & Reliability Society, 29, 1, pp.15-26
GCaptain, S. Dry dock and tug sink at vigor’s everett, WA Shipyard.
http://gcaptain.com/dock-sink-vigors-everett-shipyard (accessed 7.03.2013)
Harren, P. (2012). Safe operation and maintenance of dry dock facilities. ASCE Manauls and
Reports on Engineering Practice, 121
Hauptamanns, U. (2004). Semi-quantitative fault tree analysis for plant safety using frequency
and probability ranges. Journal of Loss Prevention in the Process Industies, 17, 5, pp.339-345
Hartford, D.N.D., and Baecher, G.B. (2004). Risk and uncertainty in dam safety. Thomas
Telford Publishing Ltd
He, X., and Tao, X. (2011). A software safety test approach based on FTA and Bayesian
networks. IEEE, Prognostic & System Health Management Conference
Heckermann, D., Wellman, M. and MAMADANI, A. (1995). Real world applications of
Bayesian networks. Communications of the ACM, 38, 3
Heger, R.E. (2002). Floating dry dock accidents involving transverse bending failure of the
pontoon. The Royal Institution of Naval Architects: The British Library
Heckerman, D. (1996). A tutorial on learning Bayesian network. Technical Report MSRTR,
Microsoft Research
Heckerman, D. (1997). Bayesian networks for data mining. Data Mining and Knowledge
Discovery, 1, 1, pp. 79-119
241
Health Safety Executive (HSE). (2006). The health and Safety at Work Act. 174 ISBN 0 10
543774 3
Hollnagel, E. (2002). Understanding accidents-from root causes to performance variability. In
IEEE, Human Factors Meeting, Scottsdale, Arizona
Hollnagel, E. (2004). Barriers and Accident Prevention. Ashgate, Hamsphire, England
Hobbs, C. and Developer, K. (2012). Fault tree analysis with Bayesian belief networks for
safety-critical software. QNX Software systems
Hu, Y.C, Wang, P.L, Zheng, H. and Li, H. (1995). Safety Fault Analysis of Igniter Based on
FT and BN. Chinese Journal of Energetic materials, pp. 140-143
Hu, S., Fang, Q., Xia, H., and Xi, Y. (2007). Formal safety assessment based on relative risks
model in ship navigation. Reliability Engineering and Safety, 9, 3, pp. 369-377
Huang, Y.H, Ljung, M., Sandlin, J., and Hollnagel, E. (2004). Accident models for modern
road traffic, changing times creates new demands. In SMC (1): International Conference on
Systems, Man and Cybernectics, pp.276-281
Huang, K., and Henrion, M. (1996). Efficient search-based inference for noisy-OR Belief
Networks. Proceeding of 12th Ann. Conf. Uncertainty in Artificial Intelligence, 325-331, UAI
Hugin Software, (2013). Hugin A/S, www.hugin.com
Khakzad, N., Khan, F., and Amyotte, P. (2011). Safety analysis in process facilities:
Comparison of fault tree and Bayesian network approaches. Elsevier, Reliability Engineering
and System Safety, 96, pp. 925-932
Kral, C., Pirker, F., and Pascoli, G. (2005). Model-based detection of rotor faults without rotor
position sensor-the sensorless Vienna monitoring method. IEEE Transactions on industrial
applications, 3, 14, pp. 784-789
Lai, C.P., and Lee, J.J. (1989). Interaction of finite amplitude waves with platforms or docks.
Journal of Waterway, Port, Coastal, and Ocean Engineering, 115, 1, pp. 19-39
Langseth, H., and Portinale, L. (2007). Bayesian networks in reliability. Science-Direct,
Reliability Engineering and System Safety, 92, pp. 92-108
242
Laskey, K.B and Mahoney, S. (1998). Network fragments: Representing knowledge for
constructing probabilistic model networks. Proceeding of 13th Annual Conference Uncertainty
in Artificial, UAI
Lauritzen, S., and Spiegelhalter, D. (1988). Local computations with probabilities on graphical
structures and their application to expert systems (with discussions). Journal of the Royal
Statistical Society Series B, 50, 2, pp.157-224
Lee, J. O., Yeo, I.C and Yang, Y.S. (2001). A trial application of FSA methodology to the
hatchway watertight integrity of bulk carriers. Marine structure, 14, 6, pp. 651-667
Lee, T.Y (2008). Council urge shipyard to ensure worker safety. Workplace Safety and Health
Council
Lefevre, E., Colot, O., and Vannoorenberghe, P. (2002). Belief function combination and
conflict management. Elsevier Science, Information Fusion, 3, pp.149-162
Lewis, E.E. (1994). Introduction to reliability engineering. 2nd ed, John Wiley & Sons, New
York
Lois, P., Wang, J., Wall, A., & Ruxton, T. (2004). Formal safety assessment of cruise ships.
Tourism management, 25, pp.93-109
Lu, J., Bai, C., and Zhang., G. (2009). Cost-benefit factor analysis in e-services using Bayesian
networks. Expert Systems with Applications, 36, pp.4617- 4625
Lui, T., and Chiou, S.B. (1997). The application of petri nets to failure analysis. Reliability
Engineering and System Safety, 57, pp.129 -1428
Jiang, I., Grubbs, K., Haith, R., and Santomartino, V. (1987) DRYDOCK: an interactive
computer program for predicting dry dock blocks reactions. Transaction of Society of Naval
Architects and Marine Engineers, 95, pp. 29-44
ILO. Safety and health at Work. www.ilo.org/global/topics/safety-and-health-at-work/lang-
en/index.htm [accessed 7.02.2011]
Inozu, B. and Radovic, I. (2002). Six sigma implementation for ship maintenance and safety
management. Paper Presented at IAME Conference, Panama City, Panama
International Metal Federation (IMF). Strike in tzual shipyard. IMF newsletter,
www.imfmetal.org/main/index.cmf?&c=17804&1=2, [Accessed date: 16th June 2008]
IMO. (1997). Interim guidelines for the application of formal safety assessment to the IMO
rule-making process. London: MSC Circ. 1023
IMO. (2002). Guidelines for formal safety assessment (FSA) for use in the IMO rule making
process. MSC/Circ.1023
243
Ishibuchi, H., and Nakashima, T. (2001). Effect of rule weights in fuzzy rule based
classifications systems. Algorithms, 12, 15, pp. 506-515
Ishibuchi, H., and Yamamoto, T. (2005). Rule weight specification in fuzzy rule based
classification system. In the Proceeding of IEEE Transactions on Fuzzy Systems, 13, 4, pp.
428-435
ISO 31000 (2008). A structured approach to enterprise risk management and the requirements
of ISO 31000. (pdf), The Institute of Risk Management
Jansen, P. J., and Lee, T.S. (1978). 48 die in shipyard blast horror. The Straits Times, pp.1
Jiye, S., CAI, L. and Zheng, B. (2011). Bayesian Reliability Evaluation Method for the Rotor.
IEEE, University of Electronic Science and Technology of China
Joint Legislative Audit and Review Committee (JLARC) (2006). Review of port Angeles
graving dock project. Report No. 06-8, Olympia, pp. 294
Jong, C.G, and Leu, S.S. (2013). Bayesian-network based hydro-power fault diagnosis system
development by fault tree transformation. Journal of Marine Science and Technology, 21, 4,
pp. 367-379
Kan, S. (2003). Metrics and models in software quality engineering. Pearson Education, 2nd
edition
Keeney, R., von Winterfeldt, D. (1991). Eliciting probabilities from experts in complex
technical problems. IEEE Transaction of Engineering Management, 38, 3, pp.191-201
Kinner,E.B., and Stimpson, W.E. (1983). Artesina pressure relief for Trident dry dock. Journal
of Construction Engineering and Management, 109, 1, pp. 74-88
Kontovas, C.A. and Psaraftis, H.N. (2009). Formal safety assessment: A Critical Review.
Marine Technology, 46, 1, pp. 45-59
Korean Register (KR). (2010). Rules and guidance for the classification of floating docks.
Koeran Register of Shipping, RB-08-E
Kretzchmar, R. (2000). Best management practices for Oregon shipyards. Technical report
from Oregon Department for Environmental Qaulity. Oregon, pp.110
Kumanoto, T., Kameda, H., Hoshiya, M., and Ishii, K. (1990). Construction of difficult dry
dock in Yokohama, Japan. Journal of Construction Engineering and Management, 116, 2, pp.
201-220
Mackie, K.P. (1999). The practice of dry docking ships. The British Library, The World’s
Knowledge, UK
244
Mairstralis, E. (2007). Formal Safety Assessment of Marine Applications. Msc Thesis,
Liverpool John Moore’s University, UK
Martin Edmons. UK Shipbuilding & new direction. Centre of Defence & International Security
Studies (CDISS), University of Lancaster, www.global-defence .com/2001/SeaSpaert3.html
[Accessed date:29th August 2008]
Maritime Safety Agency. (1993). Formal Safety Assessment MSC 66/14’. Submitted by the
UK to IMO Maritime Safety Committee UK
Maybeck, P.S. (1979). Stochastic models, estimation and control. Academic Press, (1)
Mazurkiewicz, B.K. (1980). Design and construction of dry docks. Trans Technology
Publications Limited
McDevitt, M.E., Zabarouskas, M.W., and Crook, J.C. (2005). Ship repair workflow cost model.
Military Operations Research, 10, 3, pp. 25-43
Mikulik, J., and Zajdel, M. (2009). Automatic risk control based on FSA methodology
adaptation for safety assessment in intelligent buildings. International Journal of Applied
Maths and Computer Science, 19, 2, pp. 317-326
MIL-STD-1625D (2009). Safety certification program for drydocking facilities and
shipbuilding ways for U.S. navy ships. Department of Defence Standard Practice, USA
Morgan, M.G and Hernrion, M. (1990). Uncertainty: A Guide to Dealing with Uncertainty in
Quantitative Risk and Policy Analysis. Cambridge University Press, Cambridge, UK
Mustapha, F., Sapun, S.M., Ismali, N. and Mokhtar, A.S. (2004). A computer based intelligent
system for fault diagnosis of an aircraft engine. Engineering Computations, 21, 1, pp.78-90
Myllymaki, P. (2002). Advantages of Bayesian networks in data mining and knowledge
discovery. http://www.bayesit.com/docs/advatanges.html
Najafi-Jilani, A., and Naghavi, A. (2009). Numerical modelling of seawater flow through the
flooding system of dry docks. International Journal of Naval Architect and Ocean Engineering,
1, pp.57-63
245
Naval Sea System Command (NAVSEA) (1996). Docking instructions and routine work in
dry dock. Naval Ships Technical Manual S9086-7G-STM-010, Department of the Navy,
NAVSEA, Arlington, VA., Ch. 997
Neil, M., and Fenton, N. (2012). Risk assessment and decision analysis with Bayesian
networks. Taylor & Francis Group, UK
Nikhil, R.P., and Kuhu, P. (1999). Handling of inconsistent rules with an extended model of
fuzzy reasoning. Journal of Intelligent and Fuzzy Systems, 7, pp. 55-73
Norway (2000). Formal safety assessment: Decision parameters including risk acceptance
criteria. London: IMO MSC 72/16
Nwaoha, T.C, Yang, Z., Wang, J. and Bonsal, S. (2011). A New Fussy Evidential Reasoning
Method for Risk Analysis and control of a Liquefied Natural Gas Carrier System. Journal of
Engineering for the Maritime Environment (206-225)
Occupational Safety and Health Administration (OSHA) (2002). Fatal Scaffolding Accidents
brings $ 159,350 in fines for three New York contractors. US department of Labour, office of
communication
Occupational Safety and Health Admisnistration (OSHA). Voluntary protection programs
guidelines. Available at: http:www.osha.gov [Accessed: 28th August 2008]
Parsons, S. (2001). Qualitative methods for Reasoning under Uncertainty, British Library
Peterson, J.L. (1999). Petri net theory and the modelling of systems. Prentice-Hall, Englewood
Cliffs, NJ
Pillay, A and Wang, J. (2003). Formal safety assessment and it’s relation to offshore safety
case approach in: Technology and safety of marine systems. Elsevier Ocean Engineering Series
Psarros, G., Skjong, R., Vanem, E. (2010). Risk acceptance criterion for tanker oil spill risk
reduction measures. Marine Pollution Bulletin
Puisa, R., and Vassalos, D. (2012). Robust analysis of cost-effectiveness in formal safety
assessment. Journal of Marine Science and Technology, 17, 3, pp. 370-381
Rajiv, K.S., and Pooja, S. (2012). System failure behaviour and maintenance decision making
using RCA, FMEA and FM. Journal of Quality in Maintenance Engineering, 61, 1, pp. 64-88
246
Reed, W., Midtgaard, A.K., Haver, K., and Wiencke, H.S. (2010). Evaluation of safety
measures in road tunnels based on cost-effective analysis. Reliability, Risk and Safety:Thoery
and Applications, Taylor & Francis Group, London
Regan, J.E., Davies, S., and Valdez, M.E. and Robeerts, B.W. (2007). Automated monitoring
system used to support dry docking operations at electric boat. In: The Seventh International
Symposium on Field Measurements and Geomechanics, USA, pp. 24-27
Renn, O. (2008). Risk governance: coping with uncertainty in a complex world. London:
Earthscan
Renooij, S. (2000). Probability elicitation for Belief Networks: Issues to consider. The
Knowledge Eng. Rev., 3, 16, pp. 255-269
Rosqvist, T., and Tuominen, R. (2004). Qualification of formal safety assessment: an
exploratory study. Safety Science, 42, pp. 99-120
RINA (2012). Formal Safety Assessment. Royal Institution of Naval Architects, London, UK2
Sadiq, R., Najjaran, H. and Kleiner, Y. (2006). Investigating evidential reasoning for the
interpretation of microbial water quality in a distribution network. Stochastic Environmental
Research and Risk Assessment, 21, pp. 63-73
Sadiq, R., and Rodriquez, M.J. (2005). Interpreting drinking water quality in the distribution
system using Demster-Shafer theory of evidence. Chemosphere, 59, 2, pp. 177-188
Sadiq, R., Najjaran, H. and Kleiner, Y. (2006). Investigating evidential reasoning for the
interpretation of microbial water quality in a distribution network. Stochastic Environmental
Research and Risk Assessment, 21, pp. 63-73
Salzer, J.R. (1986). Factors in the selection of drydocking systems for shipyards. Journal of
Ship Production, 2, 2, pp. 110-119
Seelam, J.K. (2008). Dry dock orientation and its effect on hydrodynamics and sediment
transport in a macro-tidal environment. COPEDEC, 7th International Conference on Coastal
and Port Engineering in Developing Countries, Dubai
Sekimizu, K. (1995). Current work at IMO on formal safety assessment. Formal Safety
Assessment Seminar
247
Sentz, K. and Ferson, S. (2002). Combination of evidence in Dempster-Shafer theory. SAND-
0835
Shafer, G. (1976). A mathematical theory of evidence. Princeton University Press, Princeton
Shao J., Cai, L., Zheng, B., and Miao, Q. (2011). Bayesian reliability evaluation method for
the rotor’, IEEE, 6(978), pp. 4577-1232
Ship Structure Committee (SSC) (2000). Prediction of structural response in grounding
application to structural design. Ship Structure Committee, 416
Shortliffe, E.H. (1976). Computer-based medical consultations. MYCIN, Elsevier, New York,
NY.
Shugar, T.A., Holland, T.J., and Malvar, L.J. (1991). Advanced finite element analysis of
drydocks and waterfront facilities - A technology assessment. Technical notes A496342,
NCEL, Port Hueneme CA, USA, pp. 160
Singer, D. (1990). A fuzzy set approach to fault tree and reliability analysis. Fuzzy Sets and
Systems, Vol. 34, pp. 145-155
Smets, P. (2007). Analysing the combination of conflicting belief functions. Information
Fuzzion, 8, 4, pp. 387 - 412
Sorensen, J.D., and Burcharth, H.F. (2004). Risk based optimization and reliability levels of
coastal structures. International forum of engineering decision making tools, Switzerland
Taha, H.A. (1971). Operations research. Macmillan, Basingstoke
Takikawa, M., and D’Ambrosio, B. (1999). Multiplicative factorization of noisy-max. Proc.
15th Ann. Conf. Uncertainty in Artificial Intelligence, UAI
Taravella, B.M. (2005). Accuracy assessment of methods for predicting dry dock block
reactions. Marine Technology and SNME News, 42, 2, pp.103
Tan, L.Y. (1990). 76 dies in sypros accident. National Library Board Singapore
Thibeaux, J.F., Fratila, N., Knuckey, D.M., Berry, M, and Endley, S.N. (2004). Design issues
for marginal wharf structures. In: Port Development in the Changing World. USA
248
Trbojevic, V.M. and Carr, B.J. (2000). Risk based methodology for safety improvements in
ports, J. Hazardous Mater, 71, pp. 467 - 480
Tupper, E. (2013). Introduction to naval architecture. Fifth edition, Royal Institute of Naval
Architecture, Elsevier
Vanem, E., & Ellis, J. (2010). Evaluating the cost-effectiveness of a monitoring system for
improved evacuation of passenger ships. Safety Science, 48, pp.788 - 802
Vick, S.G. (2002). Degrees of belief: Subjective probability and engineering judgement.
ASCE, Reston, VG
Vince, L.J. (1995). Experience of formal safety & benefits to shipping. AEA Technology, Risk
Based Safety Management
Wallenius, J., Dyer, J.S., Fishburn, P.C., Steeuer, R.E., Zionts, S., and Deb, K. (2008). Multiple
criteria decision making, multiattribute utility theory: Recent accomplishments and what lies
ahead. Management Science, 45, pp. 1336 - 1349
Wang, J. (2000). A subjective modelling tool applied to formal ship safety assessment. Ocean
Engng, 27, 10, pp.1019-1035
Wang, J. (1997). A subjective methodology for safety analysis of safety requirements
specifications. IEEE Trans. Fuzzy System, 5, 3, pp. 418-430
Wang, J., Yang, J.B. and Sen, P. (1995). A safety analysis and synthesis using fuzzy set
modelling and evidential reasoning. Reliability Engineering Systems Safety, 47, pp.103-118
Wang, J. and Trbojevic, V. (2007). Design for Safety of Marine and Offshore System,
IMarEST publication
Wang, C., and Xie, Y. (2004). Applying Bayesian network to distribution system reliability
analysis. IEEE, Region 10 Conference, TENCON
Wang, Y.F., Xie, M., Chin, K.S., Fu, X.J. (2013). Accident analysis model based on Bayesian
network and evidential reasoning approach. Journal of Loss Prevention in the Process
Industries, 26, pp. 10-12
249
Wang, Y.M., Yang, J.B., Xu, D.L. (2006). Environmental impact assessment using the
evidential reasoning approach. European Journal of Operational Research, 173, 3, pp. 1885-
1913
Wang, J. (2001). Current status and future aspects of formal safety assessment of ship. Safety
Science, 38, pp. 19-30
Wasalaski, R.G. (1982). Safety of floating dry docks in accordance with MIL-STD-1625A
Wang, J., and Ruxton, J. (1997). A review of safety analysis methods applied to the design
process of large engineering products. Journal of Engineering Design, 8, 2, pp. 131-152
Wellman, M.P (1990). Fundamental Concepts of Qualitative Probabilistic Networks.
Artificial Intelligence, 3, 44, pp. 257-303
Wilcox, C.R. and Ayyub, M.B. (2003). Uncertainty modelling of data and uncertainty
propagation for risk studies. IEEE Proceedings of the Fourth International Symposium on
Uncertainty Modelling and Analysis, pp. 184-191
Wojtek, K.P., and Milford, R. (2006). An efficient framework for the conversion of fault trees
to diagnostic Bayesian network models. IEEE, Aerospace conference
Wu, A.H., Cecilio, J., and Bayles, R.A. (1990). Stability analysis and displacement
measurements of graving dry dock walls. British library, Naval Engineers Journals, 3, 102,
pp. 6 - 30
Wu, A.H., Yachnis, M., and Brooks, E.W. (1984). Structural analysis of graving drydock by
the finite element method. Proceeding of 4th International Conference on Applied Numerical
Modelling, Taiwan, pp.159 -163
Wu, H., Cecilio, J.S., and Bayles, R.A. (1990). Stability analysis and displacement
measurements of graving drydock walls. The Naval Engineering Journal
Xu, D.L, Liu, J., Yang, J.B., Liu, G.P., Wang, J., Jenkinson, I. (2007). Inference and learning
methodology of belief-rule based expert system for pipeline leak detection. Expert Systems
with Applications, 32, 1, pp.103-113
Yanez-Godoy, H., Schoefs, F., Nouy, A., Rguig, M., Voisin, D., and Casari, P. (2006).
Extreme storm loading on service wharf structures: interest of monitoring for reliability
updating. European Journal of Civil Engineering, 5, 10, pp. 565-581
250
Yang, J., and Singh, M.G. (1994). An evidential reasoning approach for multiple-attribute
decision making with uncertainty. IEEE Transactions on Systems Man and Cybernetics, 8, 4,
pp. 1-18
Yager, R.R. (2008). Human behavioural modelling using fuzzy and Dempster-Shafer theory.
Social Computing, Behavioral Modelling, and Prediction, pp. 89-99
Yang, J.B., Liu,J., Xu, D.L., Wang, J., and Wang, H.W. (2007). Optimization models for
training belief-rule based systems. In the Proceeding of IEEE Transactions on Systems, Man,
and Cybernetics-Part A: Systems and Humans, 37, 4, pp. 569-585
Yang, Z., Bonsall, S., And Wang, J. (2008). Fuzzy rule based Bayesian reasoning approach
for prioritization of failures in FMEA. IEEE Transaction on Reliability, 57, 3, pp. 517-528
Yang, Z., Wang, J., Bonsall, S., Fang, Q. and Yang, J.B. (2005).A subjective risk analysis
approach for container supply chains. Int. J. Automation and Computing, 2, 1, pp. 85-92
Yang, J. B., and Xu, D. L. (2002). On the Evidential Reasoning Algorithm for Multiple
Attribute Decision Analysis under Uncertainty, IEEE Transactions on Systems, Man and
Cybernetics - Part A: Systems and Humans, 32, pp. 289-304
Yang, J.B., Liu, J., Wang, J., Sii, H.S., and Wang, H.W. (2006). Belief rule-base inference
methodology using the evidential reasoning approach, RIMER. In the Proceeding of IEE
Transactions on Systems, Man, and Cybernetics-Part A: Systems and Humans, 36, 2, pp. 266-
285
Williams, T.M. (1993). Risk-management infrastructure. International Journal of Project
Management, 1, 11, pp.5-10
Zadeh, L.A. (1965). Fuzzy sets, information and control, 8, 3, pp.338-353
Zagorecki, A and Druzdzel, M. (2004). An empirical study of probability elicitation under
Noisy-OR Assumption. Proceeding of 17th Int’l Florida Artifical Intelligence Research Soc.
Conf. (FLAIRS ’04), pp. 880-885
Zhang, L.W and Guo, H.P. (2006). Introduction to Bayesian networks. Beijing, Science Press
Zhu, H., and Basir, O. (2013). A fuzzy evidential reasoning data fusion approach with
uncertainty evaluation for robust pattern classification. PAMI Research Group, University of
Waterloo, (pdf) Canada
251
Zhuang, L., Jun, L, and Zhiqun, G. (2011). FTA and BN methodologies in the electrostatic
safety analysis of vessel’s oil system. IEEE, 978, 1, pp. 61284-666
Zuse, H. (1997). A framework of software measurement. Walter de Gruyter
252
Appendix
Appendix 1- Definitions of typical terms
Accident: An unintended event involving fatality, injury, ship or other property loss or damage,
and/or environmental damage (IMO MSC/Circ.829, 1997; IMO MSC/Circ.1023, 2002).
Consequence: The outcome of an accident, there may be different possible consequences, e.g.
human fatalities (or injuries), environmental pollution, loss / damage to property (Wang &
Trbojevic, 2007).
Failure: Any change in the shape, size or material properties of a structure, machine, or
component that renders it unfit to carry out its specified function adequately (Dhillion, 1998).
Formal Safety Assessment: A structured and systematic methodology, aimed at enhancing
marine safety, including protection of life, health, the marine environment and property by
using a scientific approach (Maistralis, 2007).
Generic Model: A set of functions which are common to all ships or areas or properties under
consideration (Eleye-Datubo, 2006).
Hazard: A physical situation with a potential for human injury, damage to property or the
environment or some combination of those items (Wang & Trbojevic, 2007).
Uncertainty: A state of doubt regarding quantitative or qualitative information describing,
prescribing or predicting deterministically and numerically a system, its behaviour or other
characteristics (Zimmermann, 2000).
253
Appendix 2 - Journal publication arising from this PhD research
Njumo, D.A., (2013). Fault tree analysis-Formal safety assessment in ship repair industry –
A made easy approach. International Journal of Maritime Engineering. Transaction of Royal
Institute of Naval Architecture, Jan-Mar, UK
FAULT TREE ANALYSIS (FTA) - FORMAL SAFETY ASSESSMENT (FSA) IN
SHIP REPAIR INDUSTRY A MADE EASY APPROACH
D A. Njumo, Liverpool John Moore’s University, UK
Summary
Fault tree-Formal Safety Assessment (FT-FSA) is the premier scientific method that is
currently being used for the analysis of maritime safety and for formulation of related
regulatory policy. To apply FSA in this paper, all five steps are considered and critical
information highlighted in each step as reviewed in the literature. A novel 15 steps approach
of FT-FSA is introduced in the systematic accident scenario considered in this study as
emergent phenomena from variability and interactions in shipyard (considered as a complex
system).The results of this paper will be useful for guidelines and regulatory reforms in ship
repair industry as demonstrated by identifying ‘fall from height in ship repair occupational
hazards’ for recommendation in decision making.
254
Appendix 3 - Shipbuilding/repair-kind of accident by report type (HSE UK)
KIND FATAL MAJOR 3 DAY TOTAL
99/00 00/01 01/02 99/00 00/01 01/02 99/00 00/01 01/02 99/00 00/01 01/02
Machinery 0 0 0 6 3 5 18 13 10 24 16 15
Hit by object 0 0 0 23 32 15 114 99 77 137 131 92
Fall structure 1 3 4
Fall
equipment
2 5 7
Ejected 1 2 3
Pressure 0 1 1
Hand tool 1 11 12
Hit by vehicle 0 0 0 1 0 3 1 7 2 2 7 5
Forward - - 0 - - 2 - - 1 - - 3
Reverse - - 0 - - 1 - - 1 - - 2
Overturn - - 0 - - 0 - - 0 - - 0
Runaway - - 0 - - 0 - - 0 - - 0
Other - - 0 - - 0 - - 0 - - 0
Hit Something
fixed
0 0 0 6 8 5 52 28 26 58 36 31
Structure - - 0 - - 3 - - 21 - - 24
Vehicle - - 0 - - 0 - - 0 - - 0
Step on - - 0 - - 0 - - 1 - - 1
Other - - 0 - - 2 - - 4 - - 6
Handling 0 0 0 7 9 9 166 120 144 173 129 153
Sharp - - 0 - - 4 - - 28 - - 32
Body
Movement
- - 0 - - 0 - - 42 - - 42
Person - - 0 - - 0 - - 0 - - 0
Person,
Equipment
- - 0 - - 0 - - 0 - - 0
Lifting,
Putting down
- - 0 - - 0 - - 26 - - 26
Pushing,
Pulling
- - 0 - - 0 - - 8 - - 8
Carrying - - 0 - - 0 - - 7 - - 7
Other - - 0 - - 5 - - 33 - - 38
Slip,trip 0 0 0 26 27 34 140 108 96 166 135 130
Wet - - 0 - - 3 - - 9 - - 12
Dry - - 0 - - 1 - - 5 - - 6
Obstruction - - 0 - - 10 - - 30 - - 40
Uneven - - 0 - - 3 - - 8 - - 11
Other - - 0 - - 17 - - 44 - - 61
Fall 1 0 0 30 27 22 62 62 22 93 89 44
High 1 0 0 8 10 7 12 10 1 21 20 8
Low 0 0 0 20 14 13 41 45 10 61 59 23
Other 0 0 0 2 3 2 9 7 11 11 10 13
Collapse 0 0 0 0 1 0 0 1 1 0 2 1
Drown,
Asphyxiation
0 0 0 0 2 0 1 1 0 1 3 0
Water - - 0 - - 0 - - 0 - - 0
Other Liquid - - 0 - - 0 - - 0 - - 0
Engulf - - 0 - - 0 - - 0 - - 0
Confined - - 0 - - 0 - - 0 - - 0
Choke - - 0 - - 0 - - 0 - - 0
Other - - 0 - - 0 - - 0 - - 0
Exposure 0 0 0 3 1 1 19 16 7 22 17 8
Handling - - 0 - - 1 - - 0 - - 1
Failure - - 0 - - 0 - - 0 - - 0
Normal - - 0 - - 0 - - 1 - - 1
255
Appendix 4 – Experts’ background
Expert Name Years of
experience
Expert
weight
1
Mbunja Gustave
Head of Department for Marine
Cameroon Shipyard and Industrial
Engineering Tel : +237 233403056
Mob : +237 675295337
26
5
2
Samuel Owusu Appiah
Head of Projects
Ghana Shipyard Tel : +233 244336272
Mob : +233241014311
17
3
3
Federick Asamoah
Senior Surveyor
Tema Maritime Tel : +233242854992
Mob : +2233303210255
15
3
4
Clarence Kweku Akuamoa
Senior Surveyor
DNV Maritime Industry, North West Africa Tel : +23330303684
Mob : +233303210260
11
2
5
ANOLONG Emeranda Ndikum
Head of Department for Quality, Health and
Safety
Tel : +237 233403488
Mob : +237 679518911
08
1
N.B: Grade category
Years of experience Grade
26 and above 5
20 to 25 4
14 to 19 3
9 to 13 2
Less than 9 1
256
Appendix 5– Rule continuation 62-125 from Table 5.1
62 Average Moderate Unlikely 0.75 0.25
63 Average Moderate Likely 1
64 Average Moderate Highly L 0.25 0.75
65 Average Moderate Definite 0.25 0.75
66 Average Critical Highly U 0.4 0.35 0.25
67 Average Critical Unlikely 0.4 0.35 0.25
68 Average Critical Likely 0.4 0.6
69 Average Critical Highly L 0.65 0.35
70 Average Critical Definite 0.25 0.4 0.35
71 Average Catastrophic Highly U 0.4 0.35 0.25
72 Average Catastrophic Unlikely 0.4 0.35 0.25
73 Average Catastrophic Likely 0.4 0.6
74 Average Catastrophic Highly L 0.4 0.25 0.35
75 Average Catastrophic Definite 0.65 0.35
76 Frequent Negligible Highly U 0.35 0.65
77 Frequent Negligible Unlikely 0.35 0.25 0.4
78 Frequent Negligible Likely 0.35 0.25 0.4
79 Frequent Negligible Highly L 0.6 0.4
80 Frequent Negligible Definite 0.25 0.35 0.4
81 Frequent Marginal Highly U 0.35 0.4 0.25
82 Frequent Marginal Unlikely 0.35 0.65
83 Frequent Marginal Likely 0.35 0.25 0.4
84 Frequent Marginal Highly L 0.6 0.4
85 Frequent Marginal Definite 0.25 0.35 0.4
86 Frequent Moderate Highly U 0.35 0.4 0.25
87 Frequent Moderate Unlikely 0.35 0.4 0.25
88 Frequent Moderate Likely 0.35 0.65
89 Frequent Moderate Highly L 0.6 0.4
90 Frequent Moderate Definite 0.25 0.35 0.4
91 Frequent Critical Highly U 0.75 0.25
92 Frequent Critical Unlikely 0.75 0.25
93 Frequent Critical Likely 0.75 0.25
94 Frequent Critical Highly L 1
95 Frequent Critical Definite 0.25 0.75
96 Frequent Catastrophic Highly U 0.4 0.35 0.25
97 Frequent Catastrophic Unlikely 0.4 0.35 0.25
98 Frequent Catastrophic Likely 0.4 0.35 0.25
99 Frequent Catastrophic Highly L 0.4 0.6
100 Frequent Catastrophic Definite 0.65 0.35
101 Highly F Negligible Highly U 0.35 0.65
102 Highly F Negligible Unlikely 0.35 0.25 0.4
103 Highly F Negligible Likely 0.35 0.25 0.4
104 Highly F Negligible Highly L 0.35 0.25 0.4
105 Highly F Negligible Definite 0.6 0.4
106 Highly F Marginal Highly U 0.35 0.4 0.25
107 Highly F Marginal Unlikely 0.35 0.65
108 Highly F Marginal Likely 0.35 0.25 0.4
109 Highly F Marginal Highly L 0.35 0.25 0.4
110 Highly F Marginal Definite 0.6 0.4
111 Highly F Moderate Highly U 0.35 0.4 0.25
112 Highly F Moderate Unlikely 0.35 0.4 0.25
113 Highly F Moderate Likely 0.35 0.65
114 Highly F Moderate Highly L 0.35 0.25 0.4
115 Highly F Moderate Definite 0.6 0.4
116 Highly F Critical Highly U 0.35 0.4 0.25
117 Highly F Critical Unlikely 0.35 0.4 0.25
118 Highly F Critical Likely 0.35 0.4 0.25
119 Highly F Critical Highly L 0.35 0.65
120 Highly F Critical Definite 0.6 0.4
121 Highly F Catastrophic Highly U 0.75 0.25
122 Highly F Catastrophic Unlikely 0.75 0.25
123 Highly F Catastrophic Likely 0.75 0.25
124 Highly F Catastrophic Highly L 0.75 0.25
125 Highly F Catastrophic Definite 1
257
Appendix 6 – Base events combination rules
Base event 19
S 19 = [0.2713P, 0.1878F, 0.3351A, 0.0848G, 0.1210VG]
HF CR HL
A MO HU
L MO HU
L MO U
L CR U
3/5 HF 1/5 CR 1/5 HL
1/5AV 3/5 MO 1/5 U
1/5L 3/5 HU
NO Plausibility FL CS
FCP Rule
1 (3/5) ( 1/5)( 1/5) HF CR HL 119
2 (3/5)(1/5) (1/5) HF CR U 117
3 (3/5)(1/5)( 3/5) HF CR HU 116
4 (3/5) (3/5 (1/5) HF MO HL 114
5 (3/5)( 3/5)(1/5) HF MO U 112
6 (3/5)(3/5)(3/5) HF MO HU 111
7 (1/5)(1/5 (1/5) AV CR HL 69
8 (1/5)(1/5)(1/5) AV CR U 68
9 (1/5)(1/5)(3/5) AV CR HU 67
10 (1/5)(3/5)(1/5) AV MO HL 64
11 (1/5)(3/5)(1/5) AV MO U 62
12 (1/5)(1/5)(1/5) AV MO HU 61
13 (1/5)(1/5)(1/5) L CR HL 44
14 (1/5)(1/5)(1/5) L CR U 42
15 (1/5)(1/5)(3/5) L CR HU 41
16 (1/5)(3/5)(1/5) L MO HL 39
17 (1/5)(3/5)(1/5) L MO U 37
18 (1/5)(1/5)(1/5) L MO HU 36
3 x 2x 3 = 18 rules
= =
Expert aggregation of
base events to obtain
output S
Output S aggregation using ER to obtain middle
event reliability input M
258
Basic event 20
S20 = [OP, 0.2144F, 0.4594A, 0.3262G, 0VG]
Basic Event 21
S 21= [0P, O.419F, 0.58A, 0G, 0VG] 0R [OP, 0.964F, 0.0906A, 0, 0]
F MO L
A MA HL
A MA HL
A MA L
F MA L
2/5 F 1/5 MO 2/5 HL
3/5A 4/5 MA 3/5 L
NO Degree FL CS
FCP Rule
1 (2/5) (1/5)( 2/5) F MO HL 89
2 (2/5)(1/5) (3/5) F MO L 88
3 (2/5)(4/5)( 2/5) F MA HL 84
4 (2/5) (4/5 (3/5) A MA L 83
5 (3/5)(1/5)(2/5) A MO HL 64
6 (3/5)(1/5)(3/5) A MO L 63
7 (3/5)(4/5 (2/5) A MA HL 59
8 (3/5)(4/5 (3/5) A MA L 58
A MO L
A CR L
A CR L
A CR L
A MO L
5/5 A 3/5 CR 5/5L
2/5 MO
NO Degree FL CS
FCP Rule
1 (5/5) (3/5)( 5/5) A CR L 63
2 (5/5)(2/5) (5/5) A MO L 68
2 x 2 x 2 = 8 rules
= =
1 x 2 x 1 = 2 rules
=
=
259
Basic event 18
S18 = [0P, 0.211F, 0.9491A, 0.297G, 0E]
Basic event 17
S17 = [0P, 0F, 0A, 0.25G, 0.75E]
A MO L
A MO L
A MO L
A MO L
L MO HL
4/5 A 4/5 MO 4/5 L
1/5L 1/5H L
NO Degree FL CS
FCP Rule P F A G VG
1 (4/5) (4/5)( 4/5) A MO L 63 1
2 (4/5)(4/5) (1/5) A MO HL 64 0.25 0.75
3 (1/5) (4/5)( 4/5) L MO L 38 0.65 0.35
4 (1/5) (4/5)( 1/5) L MO HL 39 0.25 0.4 0.35
L NE U
VL MO U
VL MA U
VL MA U
L MA HL
3/5VL 1/5 NE 4/5 U
2/5 L 3/5MA 1/5HL
1/5MO
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (1/5)( 4/5) VL NE U 2 0.25 0.75
2 (3/5)(1/5) (1/5) VL NE HL 4 0.25 0.75
3 (3/5) (3/5)( 4/5) VL MA U 7 0.65 0.35
4 (3/5) (3/5)( 1/5) VL MA HL 9 0.25 0.4 0.35
5 (3/5) (1/5)( 4/5) VL MO U 12 0.4 0.25 0.35
6 (3/5) (1/5)( 1/5) VL MO HL 14 0.25 0.4 0.35
7 (2/5) (1/5)( 4/5) L NE U 27 0.6 0.4
8 (2/5) (1/5)( 1/5) L NE HL 29 0.25 0.35 0.4
9 (2/5) (3/5)( 4/5) L MA U 32 1
10 (2/5) (3/5)( 1/5) L MA HL 34 0.35 0.65
11 (2/5) (1/5)( 4/5) L MO U 37 0.4 0.6
12 (2/5) (1/5)( 1/5) L MO HL 39 0.25 0.4 0.35
= 2 x 1 x 2 = 4 rules
=
= =
2 x 3 x 2 = 12 rules
260
Basic event 16
S = [0P, 0F, 0.25A, 0.4G, 0.35E]
Basic event 15
S = [0P, 0F, 0.657A, 0.4047G, 0.5296E]
VL CR L
VL CR L
A MA L
VL MA L
VL MA L
4/5VL 3/5 MA 5/5 L
2/5 A 2/5CR
NO Degree FL CS
FCP Rule P F A G VG
1 (4/5) (3/5)( 5/5) VL MA L 8 0.25 0.4 0.35
2 (4/5)(2/5) (5/5) VL CR L 18 0.4 0.25 0.35
3 (2/5) (3/5)( 5/5) A MA L 58 0.6 0.4
4 (2/5) (2/5)( 5/5) A CR L 68 0.4 0.6
A CR HL
A CR L
A CR HL
A CR HL
A CR L
5/5A 5/5 CR 3/5 L
2/5HL
NO Degree FL CS
FCP Rule P F A G VG
1 (5/5) (5/5)( 3/5) A CR L 68 0.4 0.6
2 (5/5)(5/5) (2/5) A CR HL 69 0.25 0.4 0.35
= = 2 x 2 x 1 = 4 rules
= =
1 x 1 x 2 = 2 rules
261
Basic event 14
S14 = [0P, 0.1337F, 0.5424A, 0.2075G, 0.1163VG]
Basic event 13
S13 = [0.34P, 0.3175F, 0.22687A, 0.42187G, 0E]
L MO L
VL CR L
L MO L
VL CR L
L MO L
3/5 L 3/5 MO 5/5 L
2/5 VL 2/5 CR
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (3/5)( 5/5) L MO L 38 0.65 0.35 0.35
2 (3/5)(2/5) (5/5) L CR L 43 0.4 0.25 0.35
3 (2/5) (3/5)( 5/5) VL MO L 13 0.65 0.35
4 (2/5) (2/5)( 5/5) VL CR L 18 0.4 0.25 0.35
F MA L
F MA L
F MA L
F MA L
F MA HL
5/5F 5/5 MA 4/5 L
1/5HL
NO Degree FL CS
FCP Rule P F A G VG
1 (5/5) (5/5)(4/5) F MA L 83 0.35 0.25 0.4
2 (5/5)(5/5)(1/5) F MA HL 69 0.6 0.4
= = 2 x 2 x 1 = 4 rules
= =
1 x 1 x 2 = 2 rules
262
Basic event 12
S12 = [0P, 0.593F, 0.3839A, 0.1470G, 0.4099E]
Basic event 11
S11 = [0P, 0F, 0.317A, 0.8114G, 0.1287E]
F NE U
A MO U
A MA U
L MA U
A MA HL
1/5 F 3/5NE 3/5 HU
3/5 A 2/5MO 2/5U
1/5 L
NO Degree FL CS
FCP Rule P F A G VG
1 (1/5) (3/5)( 3/5) F NE HU 76 0.35 0.65
2 (1/5)(3/5) (2/5) F NE U 77 0.35 0.25 0.4
3 (1/5) (2/5)( 3/5) F MO HU 86 0.35 0.4 0.25
4 (1/5) (2/5)( 2/5) F MO U 87 0.35 0.4 0.25
5 (3/5) (3/5)( 3/5) A NE HU 51 0.35 0.65
6 (3/5) (3/5)( 2/5) A NE U 52 0.35 0.25 0.4
7 (3/5) (2/5)( 3/5) A MO HU 61 0.75 0.25
8 (3/5) (2/5)( 2/5) A MO U 62 0.75 0.25
9 (1/5) (3/5)( 3/5) L NE HL 26 0.35 0.65
10 (1/5) (3/5)( 2/5) L NE U 27 0.6 0.4
11 (1/5) (2/5)( 3/5) L MO HU 36 0.4 0.35 0.25
12 (1/5) (2/5)( 2/5) L MO U 37 0.4 0.6
2/5VL 1/5 NE 4/5 U
3/5 L 4/5MA 1/5 L
L MA U
L NE U
L MA U
VL MA U
VL MA HL
NO Degree FL CS
FCP Rule P F A G VG
1 (2/5) (1/5)( 4/5) VL NE U 2 0.25 0.75
2 (2/5)(1/5) (1/5) VL NE L 3 0.25 0.75
3 (2/5) (4/5)( 4/5) VL MA U 7 0.65 0.35
4 (2/5) (4/5)( 1/5) VL MA L 8 0.25 0.4 0.35
5 (3/5) (1/5)( 4/5) L NE U 27 0.6 0.4
6 (3/5) (1/5)( 1/5) L NE L 28 0.25 0.35 0.4
7 (3/5) (4/5)( 4/5) L MA U 32 1
8 (3/5) (4/5)( 1/5) L MA L 33 0.25 0.75
= = 3 x 2 x 2 = 12 rules
= = 2 x 2 x 2 = 8 rules
263
Basic event 10
S10 = [0P, 0.1134F, 0.4067A, 0.1245G, 0.3554E]
Basic event 9
S9 = [0P, 0.4394F, 0A, 0.5606G, 0VG]
F MO L
A MO L
F MO L
A MO L
A CR L
3/5A 4/5 NE 5/5 L
2/5 F 1/5MA
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (4/5)( 5/5) A NE L 53 0.6 0.4
2 (3/5)(1/5) (5/5) A MA L 58 0.6 0.4
3 (2/5) (4/5)( 5/5) F NE L 78 0.35 0.25 0.4
4 (2/5) (1/5)( 5/5) F MA L 83 0.35 0.25 0.4
F MA HL
F MA HL
F CR HL
L CR HL
L CR HL
3/5 L 4/5 MA 5/5 HL
2/5 F 1/5 CR
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (4/5)( 5/5) L MA HL 34 0.25 0.75
2 (3/5)(1/5) (5/5) L CR HL 44 0.65 0.35
3 (2/5) (4/5)( 5/5) F MA HL 84 0.6 0.4
4 (2/5) (1/5)( 5/5) F CR HL 83 1
= = 2 x 2 x 1 = 4 rules
= = 2 x 2 x 1 = 4 rules
264
Basic event 8
S8 = [0.1433, 0.3129F, 0.5438A, 0G, 0E]
Basic event 7
S7 = [0P, 0F, 0A, 0.2260G, 0.774VG]
A CT HL
A CT HL
A MO HL
A MO HL
A CR HL
5/5A 2/5 MO 5/5 HL
1/5CR
2/5 CT
NO Degree FL CS
FCP Rule P F A G VG
1 (5/5) (2/5)( 5/5) A MO HL 64 0.25 0.75
2 (5/5)(1/5) (5/5) A CR HL 69 0.65 0.35
3 (5/5) (2/5)( 5/5) A CT HL 74 0.4 0.25 0.35
VL MA HU
L NE HU
VL MA HU
L NE HU
VL NE HU
3/5 VL 3/5 NE 5/5 HU
2/5 L 2/5 MA
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (3/5)( 5/5) VL NE HU 1 1
2 (3/5)(2/5) (5/5) VL MA HU 6 0.4 0.6
3 (2/5) (3/5)( 5/5) L NE HU 26 0.35 0.65
4 (2/5) (2/5)( 5/5) L MA HU 31 0.65 0.35
= =
1 x 3 x 1 = 3 rules
= =
2 x 2 x 1 = 4 rules
265
Basic event 6
S6 = [0P, 0F, 0.1295A, 0.4015G, 0.4691E]
Basic event 5
S5 = [0.161P,0.3937F,0.2328A,0.885G,0.1241E]
3/5L 3/5 NE 2/5 UL
2/5HF 2/5MO 3/5 HL
L MO HL
L NE HL
L MO UL
HF NE UL
HF NE HL
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5)(3/5)(2/5) L NE UL 2 0.25 0.75
2 (3/5)(3/5) (3/5) L NE HL 3 0.25 0.75
3 (3/5) (2/5)(2/5) L MO UL 7 0.65 0.35
4 (3/5) (2/5)(3/5) L MO HL 8 0.25 0.4 0.35
5 (3/5) (3/5)(2/5) HF NE UL 27 0.6 0.4
6 (2/5) (3/5)(3/5) HF NE HL 28 0.25 0.35 0.4
7 (2/5) (2/5)(2/5) HF MO UL 32 1
8 (2/5) (2/5)( 3/5) HF MO HL 33 0.25 0.75
2/5 VL 2/5 CR 2/5 L
1/5 L 3/5CT 3/5 HL
2/5 A
A CR HL
A CT L
L CT HL
VL CR HL
VL CT L
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (3/5)(2/5) VL CR L 18 0.4 0.25 0.35
2 (3/5)(3/5) (3/5) VL CR HL 19 0.65 0.35
3 (3/5) (2/5)(2/5) VL CT L 23 0.4 0.25 0.35
4 (3/5) (2/5)(3/5) VL CT HL 24 0.4 0.25 0.35
5 (3/5) (3/5)(2/5) L CR L 43 0.4 0.25 0.35
6 (2/5) (3/5)(3/5) L CR HL 44 0.65 0.35
7 (2/5) (2/5)(2/5) L CT L 48 0.4 0.25 0.35
8 (2/5) (2/5)( 3/5) L CT HL 49 0.4 0.25 0.35
9 (3/5) (3/5)(2/5) A CR L 68 0.4 0.6
10 (3/5) (3/5)(2/5) A CR HL 69 0.65 0.35
11 (3/5) (3/5)(2/5) A CT L 73 0.4 0.6
12 (3/5) (3/5)(2/5) A CT HL 74 0.4 0.25 0.35
= = 2 x 2 x 2 = 8 rules
= =
3 x 2 x 2 = 12 rules
266
Basic event 4
S4= [0P,0.0811F,0.1755A,0.3532G,0.3902VG]
L MA U
F NE U
L MO L
F NE L
VL NE HU
1/5 VL 3/5 NE 1/5 HU
2/5 L 1/5MA 2/5 U
1/5F 1/5MO 2/5 L
NO Degree FL CS
FCP Rule P F A G VG
1 (1/5) (3/5)(1/5) VL NE HU 1 1
2 (1/5)(3/5) (2/5) VL NE U 2 0.25 0.75
3 (1/5) (3/5)(2/5) VL NE L 3 0.25 0.75
4 (1/5) (1/5)(1/5) VL MA HU 6 0.4 0.6
5 (1/5) (1/5)(2/5) VL MA U 7 0.65 0.35
6 (1/5) (1/5)(2/5) VL MA L 8 0.25 0.4 0.35
7 (1/5) (1/5)(1/5) VL MO HU 11 0.4 0.6
8 (1/5) (1/5)( 2/5) VL MO U 12 0.4 0.25 0.35
9 (1/5) (1/5)( 2/5) VL MO L 13 0.65 0.35
10 (2/5) (3/5)( 1/5) L NE HU 26 0.35 0.65
11 (2/5) (3/5)( 2/5) L NE U 27 0.6 0.4
12 (2/5) (3/5)( 2/5) L NE L 28 0.25 0.35 0.4
13 (2/5) (1/5)( 1/5) L MA HU 31 0.65 0.35
14 (2/5) (1/5)( 2/5) L MA U 32 1
15 (2/5) (1/5)( 2/5) L MA L 33 0.25 0.75
16 (2/5) (1/5)( 1/5) L MO HU 36 0.4 0.35 0.25
17 (2/5) (1/5)( 2/5) L MO U 37 0.4 0.6
18 (2/5) (1/5)( 2/5) L MO L 38 0.65 0.35
19 (1/5) (3/5)( 1/5) F NE HU 76 0.35 0.65
20 (1/5) (3/5)( 2/5) F NE U 77 0.35 0.25 0.4
21 (1/5) (3/5)( 2/5) F NE L 78 0.35 0.25 0.4
22 (1/5) (1/5)( 1/5) F MA HU 81 0.35 0.4 0.25
23 (1/5) (1/5)( 2/5) F MA U 82 0.35 0.65
24 (1/5) (1/5)( 2/5) F MA L 83 0.35 0.25 0.4
25 (1/5) (1/5)( 1/5) F MO HU 86 0.35 0.4 0.25
26 (1/5) (1/5)( 2/5) F MO U 87 0.35 0.4 0.25
27 (1/5) (1/5)( 2/5) F MO L 88 0.35 0.65
= = 3 x 3 x 3 = 27 rules
267
Basic event 3
S3 = [0.1721P, 0.3993F, 0.2108A,0.99G, 0.118E]
Basic event 2
S2 = [0P, 0.2758F, 0.1980A, 0G, 0.5262E]
2/5 VL 2/5 CR 2/5 L
1/5 L 3/5CT 3/5 HL
2/5 A
A CR HL
A CT L
L CT HL
VL CR HL
VL CT L
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (3/5)(2/5) VL CR L 18 0.4 0.25 0.35
2 (3/5)(3/5) (3/5) VL CR HL 19 0.65 0.35
3 (3/5) (2/5)(2/5) VL CT L 23 0.4 0.25 0.35
4 (3/5) (2/5)(3/5) VL CT HL 24 0.4 0.25 0.35
5 (3/5) (3/5)(2/5) L CR L 43 0.4 0.25 0.35
6 (2/5) (3/5)(3/5) L CR HL 44 0.65 0.35
7 (2/5) (2/5)(2/5) L CT L 48 0.4 0.25 0.35
8 (2/5) (2/5)( 3/5) L CT HL 49 0.4 0.25 0.35
9 (3/5) (3/5)(2/5) A CR L 68 0.4 0.6
10 (3/5) (3/5)(2/5) A CR HL 69 0.65 0.35
11 (3/5) (3/5)(2/5) A CT L 73 0.4 0.6
12 (3/5) (3/5)(2/5) A CT HL 74 0.4 0.25 0.35
VL CR L
VL NE L
VL CR HL
VL CR L
VL NE L
5/5 VL 2/5 NE 4/5 L
3/5 CR 1/5 HL
NO Degree FL CS
FCP Rule P F A G VG
1 (5/5) (2/5)(4/5) VL NE L 3 0.25 0.75
2 (5/5) (2/5)(1/5) VL NE HL 4 0.25 0.75
3 (5/5) (3/5)(4/5) VL CR L 18 0.4 0.25 0.35
4 (5/5) (3/5)(1/5) VL CR HL 19 0.65 0.35
= = 3 x 2 x 2 = 12 rules
= =
1 x 2 x 2 = 4 rules
268
Basic event 1
S1= [0P, 0.510F, 0.4915A, 0.37G, 0.809E]
L MO U
L MO U
AV MO HU
L MO HU
F MO U
3/5 L 5/5 MO 2/5 HU
1/5AV 3/5 U
1/5 F
NO Degree FL CS
FCP Rule P F A G VG
1 (3/5) (5/5)(2/5) L MO HU 36 0.4 0.35 0.25
2 (3/5)(5/5)(3/5) L MO U 37 0.4 0.6
3 (1/5) (5/5)(2/5) AV MO HU 61 0.75 0.25
4 (1/5) (5/5)(3/5) AV MO U 62 0.75 0.25
5 (1/5) (5/5)(2/5) F MO HU 86 0.35 0.4 0.25
6 (1/5) (5/5)(3/5) F MO U 87 0.35 0.4 0.25
= =
3 x 1 x 2 = 6 rules
269
Appendix 7 – Cost benefit analysis result
RCOA1 Result
RCOA3 Result
270
RCOA4 Result
RCOA5 Result
271
RCOA6 Result
RCOB1 Result
272
RCOB2 Result
RCOB3 Result
273
RCOB4 Result
RCOB5 Result
274
RCOB6 Result